SocGholish Malware Exploits TDS Networks to Target Victims

Credited by Freepik

VTA-004531 – SocGholish Malware Exploits TDS Networks to Target Victims

Cybercriminals behind SocGholish malware are using Traffic Distribution Systems (TDS) like Parrot TDS and Keitaro TDS to filter and redirect victims to malicious sites. Researchers said the malware operates under a Malware-as-a-Service (MaaS) model, where infected systems are sold to other threat actors for initial access.

SocGholish, also known as FakeUpdates, spreads through compromised websites by disguising itself as fake browser or software updates (e.g., Chrome, Firefox, Teams). Once installed, it provides attackers with a foothold, which is then sold to groups like Evil Corp, LockBit, and Dridex. Recent attacks have also used Raspberry Robin to distribute SocGholish.

The malware is delivered via direct script injections or intermediate JavaScript files on hacked sites. Additionally, TDS platforms like Keitaro help filter victims based on system fingerprints before redirecting them to malicious payloads. Keitaro TDS has been linked to multiple threats, including ransomware and influence operations.

Severity:
Medium

Attack Surface:
Content Management System, Email, Endpoint, Endpoint OS, File Storage, Supply Chain (Third-party vendors), Web Application, Web Browser

Tactics:
Command and Control, Credential Access, Defense Evasion, Execution, Exfiltration, Initial Access, Persistence, Privilege Escalation

Techniques:
T1195.001 – Supply Chain Compromise: Compromise Software Supply Chain
T1071 – Application Layer Protocol
T1059.007 – JavaScript
T1204.002 – Malicious Link
T1071.001 – Web Protocols
T1027 – Obfuscated Files or Information
T1547.001 – Registry Run Keys / Startup Folder
T1055 – Process Hollowing
T1068 – Exploitation for Privilege Escalation – CVE-2024-38196

Indicator of Compromise :
1. https://otx.alienvault.com/pulse/689901bb2323b0727bc2539f

References:
1. https://www.silentpush.com/blog/socgholish/

SuperPRO’s Threat Countermeasures Procedures:
1. Block known malicious TDS domains (Parrot TDS, Keitaro TDS) at the network level.
2. Monitor for suspicious JavaScript injections on corporate and third-party websites.
3. Apply patches for CVE-2024-38196 to prevent Raspberry Robin’s privilege escalation.
4. Educate employees on recognizing phishing emails with fake updates or urgent attachments.
5. Inspect archived files (RAR, ZIP) and embedded scripts before execution.
6. Use behavior-based detection to identify process hollowing and fileless malware techniques.

Contributed by: Fatini