Fake update puts visitors at risk

July 24, 2024, 8:17 a.m.

Description

This intelligence report discusses SocGholish, a JavaScript downloader used by threat actors to deliver malware payloads disguised as fake browser updates. It analyzes the recent tactics, techniques, and procedures employed by threat groups like Evil Corp in compromising WordPress websites, fingerprinting user profiles, and directing victims to malicious domains hosting the fake updates. The report also explores potential payloads delivered through SocGholish, such as Cobalt Strike, Zloader, information stealers, remote access trojans, and ransomware.

External References

https://www.gdatasoftware.com/blog/2024/07/37976-socgholish-fake-update
https://otx.alienvault.com/pulse/66a0b6ae897ad74c0bb8bfe8
Tags
malware
cobalt strike
zloader
lumma stealer
socgholish
wordpress
downloader
redline stealer
2024-07-24
netsupport rat
egregor
ryuk
fake update
badspace

Date

  • Created: July 24, 2024, 8:09 a.m.
  • Published: July 24, 2024, 8:09 a.m.
  • Modified: July 24, 2024, 8:17 a.m.

Indicators

  • f0fbc29c86cd84ac18aeeee38de05c32fee95d6fa49425021ce0e3d3b13d2d05
  • 78ddcf7ce945cfa92e640c53462174b21601506b39dec9731212d7d4ef8aa74d
  • 158.160.11.208
  • http://africa.thesmalladventureguide.com/7nwh~
  • sticky.oystergardening.name
  • tropicalforestproducts.com
  • supremeceilings.co.za
  • rastek.id
  • asyncawaitapi.com
  • gitbrancher.com
Download all indicators here!

Attack Patterns

  • Egregor - S0554
  • Ryuk - S0446
  • BadSpace
  • Lumma Stealer
  • Zloader
  • NetSupport RAT
  • SocGholish
  • Redline Stealer
  • Cobalt Strike - S0154
  • Evil Corp