This article discusses the infection chain of the SocGholish malware, also known as FakeUpdates, which utilizes a fake browser update mechanism for initial access. Following the initial infection, the obfuscated MintsLoader delivers a PowerShell backdoor named GhostWeaver that facilitates continuous communication and allows the deployment of various malicious plugins aimed at extracting sensitive user information, including browser credentials and cryptocurrency wallets. The attack is characterized by its targeting of systems outside of typical corporate environments, highlighting the financial motivations driving these cyber threats.
Affected: SocGholish malware, FakeUpdates, browsers (Brave, Chrome, Firefox, Edge), Outlook, cryptocurrency wallets.
Affected: SocGholish malware, FakeUpdates, browsers (Brave, Chrome, Firefox, Edge), Outlook, cryptocurrency wallets.
Keypoints :
- The infection begins with a fake browser update delivered through compromised websites.
- The initial payload is an obfuscated JavaScript file that retrieves the MintsLoader.
- MintsLoader executes a PowerShell command that installs the GhostWeaver backdoor.
- GhostWeaver establishes authenticated communication with its command-and-control (C2) server.
- It employs tactics such as domain generation algorithms (DGA) and bypassing certificate validation.
- Several plugins target sensitive information including browser credentials and cryptocurrency wallets.
- The Formgrabber plugin uses web injection techniques and manipulates JA3 fingerprints to evade detection.
- The attack involves sophisticated methods for targeting non-Active Directory environments.
MITRE Techniques :
- T1203 – Exploitation for Client Execution: The malware uses fake browser updates and malicious JavaScript files to gain access.
- T1059.001 – Command and Scripting Interpreter: PowerShell is used for executing various commands and scripts during later stages of the infection.
- T1071 – Application Layer Protocol: The GhostWeaver backdoor communicates with its C2 server using standard application protocols.
- T1583 – Acquire Infrastructure: The threat actors set up domains and the associated infrastructure to support ongoing operations.
- T1047 – Windows Management Instrumentation: The malware leverages WMI for various operational tasks.
- T1537 – Transfer Data to External Location: The malware exfiltrates harvested data back to the C2 servers.
Indicator of Compromise :
- [URL] miutubzxe[.]top/f78.svg
- [URL] hxxps://cdns-clfr-dns[.]com/jquery?SF2LO=…
- [IP Address] 64.52.80[.]211
- [Domain] ns*.he.net
- [Domain] web3-authframe[.]top