SocGholish

SocGholish is the name of a newly identified toolkit used by cybercriminals. It is meant to help them with the distribution of various malware families by allowing the criminals to impersonate legitimate software packages and updates, therefore making the content appear more trustworthy. The SocGholish framework specializes in enabling drive-by download attacks, and the campaigns to involve it have obtained a lot of traction over the past couple of months. Two of the notable malware families being distributed via the SocGholish framework are the WastedLocker Ransomware and the Dridex Trojan. However, it is safe to assume that plenty of other malware families are being distributed via the same method.

The criminals behind the SocGholish framework are trying to mask their payloads as update packages related to Adobe and Microsoft products. The files served are usually stored in a ZIP File and users might mistake it for a legitimate file easily. Furthermore, the criminals are using iFrames to spawn update prompts in legitimate sites whose security has been compromised – this is a sort of attack known as a 'watering-hole' attack since it involves using sites that users are likely to consider trustworthy.

Cybercriminals are not always interested in advancing their malware because they can often expand their operations by abusing new malware propagation techniques like the ones seen in SocGholish. The method that SocGholish uses to deliver payloads is a good reminder that you should not trust reputable websites blindly, as there is always a small chance that they may have been compromised by threatening users. Always be wary of surprising Adobe Flash or Microsoft updates, which appear to be out of place and make sure to run a reputable anti-malware service at all times.