Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team…
What did we find?
- Socgholish, a drive-by social engineering threat distributed through fake software updates.
- In a typical scenario, a victim is presented with a fake software update while browsing the web. The malware is delivered as a .zip file containing an executable or script file that is executed by the user.
- In this incident, the victim retrieved and executed a script file (Chrome.Quick.Update.ver.103.87.87707.js) believing it to be a legitimate update for their web browser.
- Once executed, the script contacted https://ca16a9a0[.]official[.]stradlings[.]com/pixel.png (Figure 1) and then executed a series of discovery commands using built-in Windows commands (Figure 2).
- Following the discovery commands, a second script was executed, which wrote a Cobalt Strike DLL masquerading as a VMware binary to the disk (vgauthservice.dll, ecf77ba093cea883fcc736f4b62f4605). The script launched it using Regsvr32 before adding it to the startup folder for persistence.
- Once executed, vgauthservice.dll contacted optiontradingsignal[.]com, a known Cobalt Strike host, and conducted a second round of discovery commands followed by a Kerberoasting attack.
Figure 1 Snippet of the obfuscated Socgholish script responsible for contacting the C2 () Figure 2 Discovery commands executed by Socgholish.
How did we find it?
- MDR for Endpoint identified multiple stages of the attack, including the initial script execution, discovery and Cobalt Strike deployment via Regsvr32.
- MDR for Log identified the Kerberoasting attack.
What did we do?
- Our 24/7 SOC Cyber Analysts triaged the events and contained the threat before alerting the customer.
- The case was escalated to our incident handling team for further analysis and remediation actions.
What can you learn from this TRU positive?
- Socgholish is considered a drive-by social engineering threat through which malware is delivered to the target opportunistically during web browsing sessions. This threat uses fake software updates to lure victims into executing code. However, software exploits are not utilized as part of the initial code delivery and execution.
- eSentire’s observation of drive-by threats such as Socgholish, Gootkit Loader and Solarmarker are on the rise. Both Socgholish and Gootkit Loader have been linked to follow-on attacks initiated through Cobalt Strike payloads.
- If left undisturbed, these infections can quickly transition to hands-on-keyboard intrusions. Once at this stage, threat containment and eradication become more complex given the adaptability of a human attacker to the target environment.
- In this case, Cobalt Strike was deployed in just over 10 minutes from the initial Socgholish infection (Figure 3).
Recommendations from our Threat Response Unit (TRU) Team:
- Using Phishing and Security Awareness Training (PSAT), educate your employees regarding the risk of Socgholish and, more broadly, the cybersecurity risks associated with unsolicited software updates while browsing the web.
- Users must ensure your downloaded content is what they intended and that it originated from a legitimate source. Software applications such as web browsers will notify users about updates within the application itself, not through arbitrary websites. If they open or execute suspicious files, empower them to escalate to your internal IT security team immediately.
- Ensure standard procedures are in place for employees to submit potentially malicious content for review.
- Use Windows Attack Surface Reduction rules to block JScript and VBScript from launching downloaded content.
- Employ an Endpoint Detection and Response (EDR) tool to help detect, isolate, and remediate cyber threats impacting your company’s endpoint devices.
- Leverage a multi-signal MDR approach to enable threat intelligence that drives deeper correlation and investigation to contain threats faster across your entire attack surface.
Ask Yourself…
- Does your security awareness program cover drive-by threats such as Socgholish?
- Do you have mitigations in place to prevent execution of internet-sourced script files?
- Does your security program include monitoring of drive-by attacks and post-infection actions including discovery techniques and second-stage payloads?
Indicators of Compromise
Indicator | Note |
tworoadsbrewing[.]com | Served Socgholish Payload |
14fbf3009f9f37149f408e99cffd4931 | Socgholish Payload |
ca16a9a0[.]official[.]stradlings[.]com | Socgholish C2 |
ECF77BA093CEA883FCC736F4B62F4605 | Cobalt Strike |
optiontradingsignal[.]com | Cobalt Strike C2 |
eSentire’s Threat Response Unit (TRU) is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.
If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.
Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Cybersecurity Specialist.
Source: https://www.esentire.com/blog/socgholish-to-cobalt-strike-in-10-minutes