SocGholish Attacks Remain a Real Threat

A WordPress infection observed

• Sucuri researchers observed a new type of WordPress infection where threat actors used a distinguished feature to inject SocGholish malware.
• The attackers appended the cid=272 parameter in the wp-option table of the WordPress database to inject malicious payloads.
• Additionally, fake plugins and WordPress theme files were used to deploy malicious templates. Researchers also found multiple shady domain names, with over 100 detected per day in the past two weeks, as a part of the campaign.
• All these noticeable changes were done to obfuscate the SocGholish script from antivirus software.

SocGholish remains a very real threat

• In another finding shared by ProofPoint, SocGholish was injected into nearly 300 websites to target users worldwide.
• The targeted countries included Poland, Italy, France, Iran, Spain, Germany, the U.S., and the U.K.
• The attackers leveraged malvertising and SEO poisoning techniques to inject the malware.
• Earlier this month, SocGholish was used in an attack campaign targeting a significant media company in the U.S.
• As a result, over 250 regional and national newspaper sites were compromised by the TA569 attackers (also the operators of SocGholish) who replaced the JavaScript with a malicious one.
• The malicious JavaScript launched SocGholish (FakeUpdates), infecting targets with malware payloads masquerading as fake browser updates.

Worth noting

• TA569, the financially-motivated threat actor group is monetizing access gained through the exclusive use and sale of SocGholish (FakeUpdates) infections.
• Some of the malware deployed after SocGholish include WastedLocker, Hive, and LockBit ransomware.
• The malware framework is also leveraged to drop RAT in an attempt to harvest credentials and maintain persistence on a network for further malicious activities.

Conclusion