Came across a (relatively) new #SocGholish killchain.
After successfully passing the familiar WMI fingerprint check, another JS payload is returned.
This next payload performs additional WMI queries (see screenshot) and then sets up a beacon which repeatedly calls out to a C2, waiting to execute any response.
Including the deobfuscated beacon here - https://gist.github.com/rerednawyerg/aeb3870e7ad77d3f97ced6594e539592
asfgze[.]fun/f15.svg will return a PowerShell decode function, and a long string of encoded text.
The encoded text will be decoded and executed.
The nested PowerShell will generate a DGA domain and download more PowerShell using the following format:
<dga>.top/1.php?s=515
The response is another PowerShell decode function, and another long string of encoded text.
Follow the same process, and this time the nested PowerShell is a new victim check.
New #SocGholish logic check before payload delivery.
Passes a "key" value based on victim device attributes, and won't serve the payload if a virtual environment is detected.
@rmceoin This was found via the following series:
SocGholish Stage3 Server -->
asfgze[.]fun/f15.svg (executes PowerShell responses) -->
PowerShell Response -->
Nested PowerShell -->
<dga>.top/1.php?s=515 -->
PowerShell Response -->
Nested PowerShell -->
<dga>.top/2.php?id=<hostname>&key=<key>&s=515
Completed Part 3 of my personal #SocGholish series.
The article digs into the follow-up payloads delivered once the Update.js is executed on a victim machine.
Interestingly, I saw #NetSupport RAT and an unknown (to me) PowerShell C2 beacon be delivered together.
If anyone can shed more light on what the PowerShell beacon may be, it would be much appreciated! Seems to be inspired by #AsyncRAT, though.
Big thanks to @rmceoin for help along the way.
https://rerednawyerg.github.io/posts/malwareanalysis/socgholish_part3
This is a continuation of my personal series on SocGholish (or FakeUpdates). At the conclusion of “SocGholish Series - Part 2”, I had obtained the primary, first stage JavaScript payload, titled Updates.js. In this writeup, I will execute the payload and observe the response(s) from the C2 server.
#SocGholish leads to #NetSupport RAT downloaded from --> http://wudugf[.]top/f23.svg
Credit to @rmceoin for the help getting the SocGholish C2 to respond.
C2: *.nodes.gammalambdalambda.org
@rmceoin inspired by your recent passion for SocGholish. Was playing around and noticed a stage 2 domain injected on the compromised site you've been poking at:
templates.jdlaytongrademaker[.]com
Payload leads to the C2: *.nodes.gammalambdalambda[.]org
Making this post to reference on ThreatFox.
#Ares Loader being dropped via #Citrix themed Google malvertising.
IOCs:
https://ctlrix[.]cc -->
https://www.cittrix-app[.]com/entar.php -->
https://www.cittrix-app[.]com/ares.exe
C2:
193.233.134[.]57
Similar in theme to this recent Cyware article:
https://cyware.com/news/aresloader-masquerades-as-citrix-project-to-drop-multiple-payloads-81f529df
After testing all variations, the C2 will always return the Meterpreter Python payload, with the appropriate configurations set depending on the method of initial communication.
https://github.com/rapid7/metasploit-payloads/blob/master/python/meterpreter/meterpreter.py
Py_Main will then parse the strings to determine which Python script it should use for communication with the C2.
It will then pass the IP, port, and chosen script to PyRun_SimpleString, which will perform the communication and execute the C2's response.
