Fake update puts visitors at risk

July 24, 2024, 8:17 a.m.

Description

This intelligence report discusses SocGholish, a JavaScript downloader used by threat actors to deliver malware payloads disguised as fake browser updates. It analyzes the recent tactics, techniques, and procedures employed by threat groups like Evil Corp in compromising WordPress websites, fingerprinting user profiles, and directing victims to malicious domains hosting the fake updates. The report also explores potential payloads delivered through SocGholish, such as Cobalt Strike, Zloader, information stealers, remote access trojans, and ransomware.

Date

  • Created: July 24, 2024, 8:09 a.m.
  • Published: July 24, 2024, 8:09 a.m.
  • Modified: July 24, 2024, 8:17 a.m.

Indicators

  • f0fbc29c86cd84ac18aeeee38de05c32fee95d6fa49425021ce0e3d3b13d2d05
  • 78ddcf7ce945cfa92e640c53462174b21601506b39dec9731212d7d4ef8aa74d
  • 158.160.11.208
  • http://africa.thesmalladventureguide.com/7nwh~
  • sticky.oystergardening.name
  • tropicalforestproducts.com
  • supremeceilings.co.za
  • rastek.id
  • asyncawaitapi.com
  • gitbrancher.com

Attack Patterns

  • Egregor - S0554
  • Ryuk - S0446
  • BadSpace
  • Lumma Stealer
  • Zloader
  • NetSupport RAT
  • SocGholish
  • Redline Stealer
  • Cobalt Strike - S0154
  • Evil Corp