May 03, 2022

Tricks from SocGholish and Zloader

Industry: N/A | Level: Tactical | Source: Cybereason

In the latest report by Cybereason, tracking of malware activity from SocGholish and Zloader has detailed the malware’s capabilities and infection tactics. SocGholish is named (partially) due to its social engineering tactics to lure victims with drive-by-downloads, often themed as critical browser updates. When clicked by the user, a payload is delivered as a compressed file and requires manual user execution to decompress the file, and trigger the execution of a malicious Javascript. Follow-up activity with SocGholish typically involves the deployment of Cobalt Strike and ransomware. Tracking by Cybereason identified an uptick in VirusTotal submissions for SocGholish, since December 2021. Two infection chains were observed by Cybereason, both heavily conducting reconnaissance to collect system information for data exfiltration. Zloader malware has typically been observed as an information stealer obtaining credentials, and sensitive data with backdoor capabilities to compromise a host further to deploy ransomware such as Egregor and Ryuk. Zloader’s campaigns often involve masquerading as popular software to entice users to download a malicious MSI file. Following installation of the MSI file, bat scripts are executed to collect system information and disable defenses such as Windows Defender.

  • Anvilogic Scenarios:
    • SocGholish – Post Infection Attack – V1
    • SocGholish – Post Infection Attack – V2
    • SocGholish – Post Infection Attack – V2.1
    • ZLoader Attack Chain with Delivery from MSI or Malicious Doc
  • Anvilogic Use Cases:
    • Utility Archive Data
    • Compressed File Execution
    • Wscript/Cscript Execution
    • Common Reconnaissance Commands
    • Common Active Directory Commands
    • Output to File
    • Suspicious Executable by CMD.exe
    • Rundll32 Command Line
    • Rare Remote Thread
    • SharpHound Enumeration
    • Rubeus Commands