Don't Ghost the SocGholish: GhostWeaver Backdoor

Feb. 17, 2025, 11:24 a.m.

Description

The article details a sophisticated malware infection chain involving SocGholish, MintsLoader, and the GhostWeaver backdoor. The attack begins with a fake browser update, progressing through multiple stages to deploy a PowerShell backdoor and various plugins. These components work together to steal sensitive information, including browser credentials, cryptocurrency wallet data, and Outlook contents. The malware utilizes advanced techniques such as process injection, JA3 fingerprint manipulation, and web injection to evade detection and intercept user data. The attackers primarily target non-AD-joined machines, suggesting a focus on smaller organizations or individual users with weaker security measures.

External References

https://trac-labs.com/dont-ghost-the-socgholish-ghostweaver-backdoor-574154dd9983
https://otx.alienvault.com/pulse/67b31942143b95827551dee8
Tags
backdoor
powershell
cryptocurrency
socgholish
credential theft
boinc
fakeupdates
netsupport rat
mintsloader
2025-02-17
web injection
ghostweaver
juniper stealer

Date

  • Created: Feb. 17, 2025, 11:10 a.m.
  • Published: Feb. 17, 2025, 11:10 a.m.
  • Modified: Feb. 17, 2025, 11:24 a.m.

Indicators

  • bc1qvae6tdt2uf45u38cu8pzxlc63esxut0s5ty2rm
  • ca338eabdfb68f6022744a7380a70989a1ce387d4d3f44353c383959edb8a985
  • 1H9YhdJbj5LYmoA9VU4fDonkbV37KTuVeJ
  • 16WMGzM1iPMX4rxSYXZyrBfcpcgd6K3qiK
  • 64.52.80.211
  • 4.82.42.42
  • https://cdns-clfr-dns.com/tdcom/files/$1
  • http://web3-authframe.top/st1h?s=exodus_24
  • http://web3-authframe.top/st1?s=exodus_24
  • http://miutubzxe.top/f78.svg
  • http://64.52.80.211/1.php?s=boicn|
  • web3-authframe.top
  • miutubzxe.top
  • cdns-clfr-dns.com
Download all indicators here!

Attack Patterns

  • Juniper Stealer
  • GhostWeaver
  • FakeUpdates
  • SocGholish - S1124
  • BOINC
  • MintsLoader
  • NetSupport RAT
  • UNC4108