SocGholish's Intrusion Techniques Facilitate Distribution of RansomHub Ransomware

March 14, 2025, 7:30 p.m.

Description

SocGholish, a malware-as-a-service framework, is being used to deploy RansomHub ransomware. It compromises legitimate websites, redirecting visitors to fake browser updates that deliver malicious payloads. The highly obfuscated JavaScript loader evades detection and executes various tasks, including reconnaissance, credential theft, and backdoor deployment. Water Scylla, the group behind this activity, collaborates with threat actors operating rogue Keitaro TDS instances for payload distribution. The attack chain involves multiple stages, from initial access to ransomware deployment. SocGholish's versatile loader can download and execute malicious payloads, exfiltrate data, and execute arbitrary commands. Recent detections show high activity in the US, primarily targeting government organizations.

External References

https://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html
https://otx.alienvault.com/pulse/67d40207691067461210a612
Tags
backdoor
ransomware
javascript
socgholish
credential theft
ransomhub
compromised websites
2025-03-14
keitaro tds

Date

  • Created: March 14, 2025, 10:16 a.m.
  • Published: March 14, 2025, 10:16 a.m.
  • Modified: March 14, 2025, 7:30 p.m.

Attack Patterns

  • RansomHub
  • SocGholish
  • Water Scylla
  • T1608.004
  • T1021.002
  • T1069.002
  • T1069.001
  • T1003.002
  • T1059.006
  • T1135
  • T1074.001
  • T1053.005
  • T1482
  • T1087.002
  • T1059.003
  • T1059.001
  • T1572
  • T1059.007
  • T1552
  • T1095
  • T1555
  • T1070.004
  • T1204.002
  • T1016
  • T1082
  • T1105
  • T1083
  • T1041

Additional Informations

  • Consulting
  • Banking
  • Government
  • Taiwan
  • Japan
  • United States of America