-
According to Mandiant, Socgholish was first spotted in the wild in December of 2017 as part of a fake browser update campaign.
-
Depending on what browser the user is using (presumably determined by their
user-agent), they are prompted to download and install the latest version. Here's an example:
-
Originally, the payload was delivered as a
.jsfile inside of a.ziparchive, but over time, researchers began to see it being delivered in the wild as a plain.jsfile. -
Socgholish has been known to use an interesting technique to bypass detection based on string-matching. The threat actors replace characters in the file name with "lookalikes" from other languages.
-
RedCanary writes:
- Proofpoint writes that historically, the end of the attack chain has typically concluded with either Cobalt Strike or various RATs, and sometimes ransomware.
- After unzipping the sample and opening it in Visual Studio Code, it is visibly much smaller than a Gootloader script. This one comes in at only 76 lines of code.
-
It is clearly obfuscated, but not too heavily.
-
The script constructs a URL, sends HTTP POST requests, and processes the response.
-
Lastly, it uses
evalto execute the response of therequestfunction, which presumably executes the code returned by the C2 server.
- Once de-obfuscated, the URL it communicates with is
168c39dd[.]apps.weightlossihp[.]com.
- This specimen is a typical Socgholish sample that arrives to the end user as a
.jsfile which, when executed viacscript, de-obfuscates the C2 URL and begins to communicate with168c39dd[.]apps.weightlossihp[.]comover HTTP.