Jérôme SeguraJul 18, 2023

There's a new player in the 'fake updates' arena. Thanks to @rmceoin for initially posting about it here.

Blog link: https://www.malwarebytes.com/blog/threat-intelligence/2023/07/socgholish-copycat-delivers-netsupport-rat

#FakeUpdates #FakeSG #SocGholish

FakeSG enters the 'FakeUpdates' arena to deliver NetSupport RAT

Over 5 years ago, we began tracking a new campaign that we called FakeUpdates (also known as SocGholish) that used compromised...

Malwarebytes
Show threadKegan MyersJul 19, 2023
@jeromesegura @rmceoin SMB to any non-private IP isn’t a thing anyone should be able to do without really wanting to, you should have to change a group policy to enable it or something…
Show threadRandyJul 19, 2023
@terribleplan @jeromesegura as far as I can tell WebDAV uses http not smb.
Show threadKegan MyersJul 19, 2023
@rmceoin @jeromesegura I assumed since it was \\$IP\$FILE that it was SMB, as WebDAV should still show as an http(s) address. I could be wrong about that though… (I am only referring to the one image that shows a “run” prompt)
Show threadJérôme SeguraJul 19, 2023
@terribleplan @rmceoin here’s a better look at the traffic and the protocols.
Show threadShadow
@jeromesegura @terribleplan @rmceoin Have they moved on from js droppers then?
Jul 29, 2023 at 8:56pmWeb
Show threadRandyJul 29, 2023

@defender @jeromesegura @terribleplan Possibly. The #SocGholish TA still first lands a JS that collects info about the victim. Up until July 17th I saw them switching to PS after that JS collection. But I haven't seen them do anything more than collect the info. Looks like this.

(Compromised site)
-->
greedyfines[.]org/GRzk7JSP (Keitaro)
-->
sandwiches.tropipackfood[.]com/I9tOCVj5LWBH+XQ7FehiK1H5dCtHvjhxUqlsdA== (SocGholish TDS)
-->
lmd.plan.gemmadeealexander[.]com/editContent (SocGholish JS C2)

Going direct to the PS hop still works for me. For example just now it does this chain.

hXXp://asfgze[.]fun/f23.svg
-->
hXXp://kedkejehiciellf[.]top/1.php (DGA)
-->
hXXp://kedkejehiciellf[.]top/2.php (DGA)
-->
hXXps://dprn0jmb1nag5t9[.]top:14235 (PowerShell C2)

The #FakeSG TA doesn't do JS or PS. They simply land NetSupport. The chain from a few minutes ago.

(Compromised site)
-->
google-analytiks[.]com/sBY76j (Keitaro)
-->
alexiakombou[.]com/wp-content/uploads/2022/01/downloader(updchr(V104.215.214)silent.url ()
-->
hXXp://185[.]252.179.64@80/Downloads/silentupdater-chr(v105).lnk ()
-->
alexiakombou[.]com/wp-content/uploads/2021/12/EN-localer.hta (HTA)
-->
hxxps://94[.]158.244.41:443 (NetSupport)

I'm wondering if the SocGholish TA is on vacation. They usually rotate parts of the chain at least once a week and I haven't seen a change since July 20th. That and the JS to PS hasn't worked since July 17th, at least not for me.

Show threadShadowJul 30, 2023
@rmceoin @jeromesegura @terribleplan SocGholish #SocGholish analysis
Show threadRandyJul 31, 2023

@defender @jeromesegura @terribleplan Well, the SocGholish folks are back from their break.

https://infosec.exchange/@monitorsg/110807895867045090

Monitor SG (@[email protected])

New #SocGholish #KeitaroTDS: surelytheme[.]org/ZcqVjVQ1 surelytheme[.]org 91[.]103.253.14

Infosec Exchange