Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

12/17/2020
06:00 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

'SocGholish' Attack Framework Powers Surge in Drive-By Attacks

Menlo Labs research team says framework's social engineering toolkit helps criminals impersonate software updates.

Drive-by download attacks have been on the uptick over the past two months, thanks to a highly active attack framework that security researchers have dubbed "SocGholish" for its ample use of social engineering tools and techniques. SocGholish impersonates legitimate browser, Flash, and Microsoft Teams updates to trick users into executing malicious ZIP files that are automatically placed on their machines when a visit to an infected compromise triggers a drive-by download. 

SocGholish attackers host and serve the malicious downloads by leveraging iFrames to serve up compromised websites via a legitimate website.  

Related Content:

CISA: SolarWinds Not the Only Initial Attack Vector in Massive Breach

Building an Effective Cybersecurity Incident Response Team

New From The Edge: Why Secure Email Gateways Rewrite Links (and Why They Shouldn't)

"Because the file is hosted in an iframe within a legitimate site, users are tricked into thinking the file is from a legitimate source and encouraged to download and execute the file," said Krishnan Subramanian, security researcher at Menlo Security, in a research note today.

This iFrame technique helps attackers end around basic web filtering based on website categories since they are delivered from legitimate categories.

The drive-by download mechanisms used by the SocGholish framework don't involve browser exploitations or exploit kits to deliver payloads. Instead, it uses three main techniques. The first is using watering hole attacks by planting iFrames on sites with relatively high Alexa rankings and then sending users through a number of redirects routed through common cloud hosting services until reaching a malicious ZIP file served from an Amazon S3 account.

The second technique is compromising sites hosted on content management systems like WordPress to embed iFrames that use JavaScript blobs to trigger the download.

"Since the entire payload is constructed within the endpoint, this method is commonly used to smuggle payloads and bypass legacy network proxies and sandboxes," Subramanian wrote.

The third SocGholish technique is leveraging sites.google.com and JavaScript to dynamically create a download link element pointed to a ZIP file hosted on a legitimate Google Drive link, and then simulating a click to trigger the download. 

Subramanian explained that SocGholish is used to gain initial access to endpoints; his team has observed it being used to distribute the Dridex banking Trojan and WastedLocker ransomware, among others. 

Drive-by downloads have been a thorn in security defenders' sides for many years and continues to be a prevalent technique for gaining a foothold into endpoint systems. The SocGholish report comes just a week after Microsoft researchers detailed the rampant use of drive-by downloads by the Adrozek malware to fuel an attack campaign, which ran from May through September 2020 and used 159 unique domains to distribute hundreds of thousands of unique malware samples. 

While major browser developers have taken steps to thwart these techniques, attackers keep innovating. In the case of SocGholish, the framework gets around security features in Chrome and Firefox that automatically block downloads from sandboxed iFrames by injecting iFrames without the sandbox attribute specified.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: "The truth behind Stonehenge...."
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27886
PUBLISHED: 2021-03-02
rakibtg Docker Dashboard before 2021-02-28 allows command injection in backend/utilities/terminal.js via shell metacharacters in the command parameter of an API request. NOTE: this is NOT a Docker, Inc. product.
CVE-2016-8153
PUBLISHED: 2021-03-02
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2016. Notes: none.
CVE-2016-8154
PUBLISHED: 2021-03-02
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2016. Notes: none.
CVE-2016-8155
PUBLISHED: 2021-03-02
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2016. Notes: none.
CVE-2016-8156
PUBLISHED: 2021-03-02
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2016. Notes: none.