Researchers at Proofpoint revealed more technical details about SocGholish, the malware variant they identified earlier this month, highlighting its noteworthy tactics that differ from traditional phishing campaigns.
According to a Proofpoint blog post Tuesday, SocGholish deviates from the norm by forgoing all the classic staples of modern phishing, such as instilling a sense of urgency, promises of rewards, and misdirection. Instead, researchers found that SocGholish is leveraged in email campaigns with injections on sites, mainly targeting organizations with extensive marketing campaigns or strong Search Engine Optimization.
“[SocGholish] really is sophisticated. I do not like to use the word ‘sophisticated’ when it comes to threats in general, but this actor [along with] its development lifecycle and various techniques really are head and shoulders above other actors,” Andrew Northern, senior threat researcher at Proofpoint, said during a virtual event on Tuesday.
Drew Schmitt, managing security consultant and lead analyst at GuidePoint Security, expanded on that point, telling SC Media in an email that SocGholish hasn’t been observed using this attack vector before, and their email-based attacks combined with download style infections “is unique in the sense that it explicitly avoids having characteristics that the average user would be able to detect and identify.”
Proofpoint researchers told SC Media that the threat actor is not directly targeting the media industry but using these companies as their delivery mechanisms. The intended victims are consumers who visit those sites.
“The actors are opportunistic and will inject the scripts wherever they can: into landing pages, into third-party styling resources, trackers, and scripts,” said Sherrod DeGrippo, VP of threat research at detection at Proofpoint. “They rely on the compromised entity being a legitimate organization and natural email traffic, such as newsletters, marketing efforts, and bulletins, to drive traffic to those sites. In the case of online news outlets, articles are often optimized for search engines, so ad hoc searching would also lead potential victims to the compromised sites.”
Matthew Fulmer, manager of cyber intelligence engineering at Deep Instinct, added that the SocGholish is notable because it is not just an attack to gain credentials but to gain persistence and lateral movement in order to drop additional malware payloads, which could include ransomware or other threats.
Tuesday’s virtual session also highlighted how the group has applied injection strobing, a technique that adds, removes, and re-adds injections to evade detection and prevent analysis.
Northern said that one potential motivation for TA569 to manipulate injected hosts is to confuse incident responders and prevent them from analyzing the malware. He said that it could also be a result of attackers meeting their quota for delivering other payloads.
“There are a lot of reasons why they may be serving these injections, but the key takeaway here is that you don’t be quick to say that this is a false positive,” Northern said. “If you are a responder and you say this is a false positive because you cannot find it, you are going to discount the follow-on steps of checking that host to see if there are any lateral movements.”
To defend against the threat actors, Northern suggested organizations have their WMI, subscription, consumer, and triggers logging turned on and centralize those logs to monitor post-exploitation activity.
Schmitt warned that the detection of SocGholish malware is a great reminder of the threat under supply chain attacks.
“Although not observed as often as other attack mechanisms, the controlled use of a supply chain compromise, as observed by SocGholish recently, may be an indication of an even more concentrated focus on leveraging supply chain attacks overall,” Schmitt said.