SocGholish Malware: A Technical Exploration

Explore the SocGholish malware family's operations and defenses in this in-depth analysis.

Explore the SocGholish malware family's operations and defenses in this in-depth analysis.

Monday, 10 June, 2024

SocGholish Malware
SocGholish Malware
SocGholish Malware

"SocGholish" is a malware family that first discovered in 2018, primarily functioning as a downloader. It gains access to systems through malicious JavaScript code embedded within compromised websites. Upon infiltration, Socgholish executes its primary function: downloading additional malware payloads onto the infected machine. 

Among the diverse range of malware it can procure, ransomware is a notable example. This multifaceted nature underscores the severity of its threat, as it facilitates the delivery and execution of malicious software with the potential for significant harm to compromised systems and data.

File Details:

Hash     : 2d5aaa92c6ef0dd6da82b763511a810dc96bdc40b29394a9a2098d1e4c0d2f7b
Magic    : C source, ASCII text, with very long lines (3732u)
Filename : malicious_41191.js
FileType : JavaScript
Size     : 160.00 KB (163841 bytes)

How does it work?

SocGholish employs a deceptive tactic to infiltrate into the systems, Commonly referred to as FakeUpdates. It begins by redirecting visitors with a compromised website, where users are prompted to download what appears to be a necessary update for their browser or other commonly used software., One of the best known is "Google Chrome Browser updates".

Unwittingly, users who fall for the "update" inadvertently execute a malicious JavaScript payload, thereby initiating the attack. This technique capitalizes on user’s trust in routine software updates, exploiting their unsuspecting nature to facilitate the malware's entry into their systems.

Technical Analysis of SocGholish:

JavaScript serves as a versatile programming language, primarily employed to craft interactive and dynamic content within web pages. Supported widely by web browsers, it empowers developers to enhance user experiences with features such as animations, form validation, and seamless page updates without requiring a full page reload.

Malware authors frequently exploit JavaScript's extensive support and capability to execute code directly within web browsers. They often leverage JavaScript as an initial vector for delivering malicious files. This is achieved through the insertion of malicious JavaScript code into compromised websites or email attachments, which exploits vulnerabilities within users' browsers or web applications, thus enabling attacks without requiring user interaction.

SocGholish - Malicious Javascript Content:

To understand how the code works, let's debug the JavaScript using Chrome’s Developer tool.

  • Open Chrome, access the inspect element feature, and navigate to the Source tab.

  • Load the JavaScript file and execute it. Subsequently, observe any errors reported in the console.

Obtained Errors:

  • Set breakpoint on the each errors and observer the changes in the breakpoint console.

  • Here, I set breakpoint on the Eval functions, Create-object, and return values.

  • After setting the breakpoints, proceed to step into the subsequent functions.

  • If you want to view in separate window, Click on the ReferenceErrors.

Common APIs used by SocGholish:

CreateWindowExA, MessageBoxW, RtlUserThreadStart, SysAllocString, LdrInitializeThunk,
FatalExit, LoadTypeLibEx, RtlAllocateHeap, SaferIdentifyLevel, LoadRegTypeLib, 
PostMessageA, SendMessageA, encodeURIComponent, decodeURIComponent, getEncodedData
and setCampaignMarkerCookie

Obtained URL and it’s Sandbox Results:

AV sandboxes analyze any suspicious URLs within controlled environments to evaluate their effects on systems and networks. Analyzing sandbox results enables us to know whether the URL is associated with malware, phishing attempts, or other malicious activities. Here the obtained URL is marked as malware.

Conclusion:

In summary, JavaScript is crucial for making websites interactive and dynamic. But because it's widely used and can run code in web browsers, bad actors often use it to spread malware. They sneak malicious JavaScript code into hacked websites or email attachments, exploiting weaknesses in browsers or web apps to launch attacks without users even knowing. So, while JavaScript makes the web more exciting, it's important to stay alert and protect against potential dangers.

Happy Hunting !!