Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:00 PM
Connect Directly

'SocGholish' Attack Framework Powers Surge in Drive-By Attacks

Menlo Labs research team says framework's social engineering toolkit helps criminals impersonate software updates.

Drive-by download attacks have been on the uptick over the past two months, thanks to a highly active attack framework that security researchers have dubbed "SocGholish" for its ample use of social engineering tools and techniques. SocGholish impersonates legitimate browser, Flash, and Microsoft Teams updates to trick users into executing malicious ZIP files that are automatically placed on their machines when a visit to an infected compromise triggers a drive-by download. 

SocGholish attackers host and serve the malicious downloads by leveraging iFrames to serve up compromised websites via a legitimate website.  

Related Content:

CISA: SolarWinds Not the Only Initial Attack Vector in Massive Breach

Building an Effective Cybersecurity Incident Response Team

New From The Edge: Why Secure Email Gateways Rewrite Links (and Why They Shouldn't)

"Because the file is hosted in an iframe within a legitimate site, users are tricked into thinking the file is from a legitimate source and encouraged to download and execute the file," said Krishnan Subramanian, security researcher at Menlo Security, in a research note today.

This iFrame technique helps attackers end around basic web filtering based on website categories since they are delivered from legitimate categories.

The drive-by download mechanisms used by the SocGholish framework don't involve browser exploitations or exploit kits to deliver payloads. Instead, it uses three main techniques. The first is using watering hole attacks by planting iFrames on sites with relatively high Alexa rankings and then sending users through a number of redirects routed through common cloud hosting services until reaching a malicious ZIP file served from an Amazon S3 account.

The second technique is compromising sites hosted on content management systems like WordPress to embed iFrames that use JavaScript blobs to trigger the download.

"Since the entire payload is constructed within the endpoint, this method is commonly used to smuggle payloads and bypass legacy network proxies and sandboxes," Subramanian wrote.

The third SocGholish technique is leveraging sites.google.com and JavaScript to dynamically create a download link element pointed to a ZIP file hosted on a legitimate Google Drive link, and then simulating a click to trigger the download. 

Subramanian explained that SocGholish is used to gain initial access to endpoints; his team has observed it being used to distribute the Dridex banking Trojan and WastedLocker ransomware, among others. 

Drive-by downloads have been a thorn in security defenders' sides for many years and continues to be a prevalent technique for gaining a foothold into endpoint systems. The SocGholish report comes just a week after Microsoft researchers detailed the rampant use of drive-by downloads by the Adrozek malware to fuel an attack campaign, which ran from May through September 2020 and used 159 unique domains to distribute hundreds of thousands of unique malware samples. 

While major browser developers have taken steps to thwart these techniques, attackers keep innovating. In the case of SocGholish, the framework gets around security features in Chrome and Firefox that automatically block downloads from sandboxed iFrames by injecting iFrames without the sandbox attribute specified.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-05
The “Elementor Addon Elements� WordPress Plugin before 1.11.2 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
PUBLISHED: 2021-05-05
The “Livemesh Addons for Elementor� WordPress Plugin before 6.8 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
PUBLISHED: 2021-05-05
The “HT Mega – Absolute Addons for Elementor Page Builder� WordPress Plugin before 1.5.7 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by ...
PUBLISHED: 2021-05-05
The “WooLentor – WooCommerce Elementor Addons + Builder� WordPress Plugin before 1.8.6 has a widget that is vulnerable to stored Cross-Site Scripting (XSS) by lower-priv...
PUBLISHED: 2021-05-05
The “Elementor Addons – PowerPack Addons for Elementor� WordPress Plugin before 2.3.2 for WordPress has several widgets that are vulnerable to stored Cross-Site Scriptin...