SocGholish, also known as FakeUpdates, is a JavaScript loader malware associated with the threat actor TA569. This malware is distributed through compromised websites and disguises itself as updates for browsers and other software. It employs a Malware-as-a-Service model, selling initial access to other cybercriminal organizations. Recent campaigns leverage third-party Traffic Distribution Systems like Parrot TDS and Keitaro TDS to filter web traffic and direct users to malicious content. Attack chains involve compromising systems to establish access for clients such as Evil Corp and LockBit.
The core of their operation is a sophisticated Malware-as-a-Service (MaaS) model, where infected systems are sold as initial access points to other cybercriminal organizations.
SocGholish infections typically originate from compromised websites that have been infected in multiple different ways.
Website infections can involve direct injections, where the SocGholish payload delivery injects JS directly loaded from an infected webpage or via a version of the direct injection.
Attack chains involve deploying SocGholish to establish initial access and broker that compromised system access to a diverse clientele.
Collection
[
|
...
]