Home / Industry

SocGholish IoCs and Artifacts: Tricking Users to Download Malware

Protect your privacy:  Get NordVPN  [ Deal: 73% off 2-year plans + 3 extra months ]
10 facts about NordVPN that aren't commonly known
  • Meshnet Feature for Personal Encrypted Networks: NordVPN offers a unique feature called Meshnet, which allows users to connect their devices directly and securely over the internet. This means you can create your own private, encrypted network for activities like gaming, file sharing, or remote access to your home devices from anywhere in the world.
  • RAM-Only Servers for Enhanced Security: Unlike many VPN providers, NordVPN uses RAM-only (diskless) servers. Since these servers run entirely on volatile memory, all data is wiped with every reboot. This ensures that no user data is stored long-term, significantly reducing the risk of data breaches and enhancing overall security.
  • Servers in a Former Military Bunker: Some of NordVPN's servers are housed in a former military bunker located deep underground. This unique location provides an extra layer of physical security against natural disasters and unauthorized access, ensuring that the servers are protected in all circumstances.
  • NordLynx Protocol with Double NAT Technology: NordVPN developed its own VPN protocol called NordLynx, built around the ultra-fast WireGuard protocol. What sets NordLynx apart is its implementation of a double Network Address Translation (NAT) system, which enhances user privacy without sacrificing speed. This innovative approach solves the potential privacy issues inherent in the standard WireGuard protocol.
  • Dark Web Monitor Feature: NordVPN includes a feature known as Dark Web Monitor. This tool actively scans dark web sites and forums for credentials associated with your email address. If it detects that your information has been compromised or appears in any data breaches, it promptly alerts you so you can take necessary actions to protect your accounts.

As all initial-access threats go, SocGholish is among the trickiest. It often comes disguised as software updates, deceiving victims into downloading a malicious payload that could eventually lead to more lethal cyber attacks. In fact, researchers at ReliaQuest found evidence that an initial SocGholish malware distribution was intended to deploy ransomware.

The researchers also listed six indicators of compromise (IoCs) in the form of command-and-control (C&C) domains and IP addresses. We mapped the footprints of these IoCs using domain, IP, and DNS intelligence and found that:

  • The threat actors used old and recently registered root domains to host malicious subdomains.
  • One IoC’s unredacted registrant email address led us to 200+ connected domains.
  • More than 5% of these artifacts were malicious, with many containing the string update.
  • Dozens of additional artifacts were found related to the IoCs, either through name server or string usage.

A sample of the additional artifacts obtained from our analysis is available for download from our website.

What We Know about the SocGholish IoCs

ReliaQuest listed the following properties as IoCs involved in the SocGholish distribution activities they detected:

  • taxes[.]rpacx[.]com
  • *.signing[.]unitynotarypublic[.]com
  • *.asset[.]tradingvein[.]xyz
  • 88[.]119[.]169[.]108
  • change-land[.]com
  • 31[.]184[.]254[.]115

These IoCs combined SocGholish and Cobalt Strike C&C servers since threat actors used the latter for post-exploitation. At any rate, these web properties could still be tied to the same malicious actor.

The historical WHOIS data of these digital resources, including the root domains of the subdomains tagged as IoCs, revealed the following:

IoCCreation Date of the Root DomainRegistrarRegistrant
taxes[.]rpacx[.]com10 March 2009FastDomain Inc.Redacted for privacy since 2019, with one historical public email address currently connected to one domain
*.signing[.]unitynotarypublic[.]com29 September 2021Launchpad.com Inc.Redacted for privacy since its creation
*.asset[.]tradingvein[.]xyz22 December 2022NamecheapRedacted for privacy since its creation
change-land[.]com26 January 2022REG.RU LLCUnredacted, with one public email address currently connected to 218 domains

Regardless of the method by which the threat actors controlled the subdomains, they used a combination of old and recently registered domains as C&C servers.

As for the IP addresses tagged as IoCs, these are their details based on IP Geolocation API:

IoCIP GeolocationISPResolution Status
88[.]119[.]169[.]108Šiauliai County, LithuaniaInformacines Sistemos Ir Technologijos, UABNo resolutions or domain connections
31[.]184[.]254[.]115Sankt-Peterburg, RussiaSelectelConnected to one domain (change-land[.]com)

SocGholish IoC Expansion Analysis: Chasing an Email Address, Name Servers, and Recurring Strings

Profiling the IoCs in the previous section helped us determine which data points to pursue. We focused on change-land[.]com for the following IoC expansion analysis since its registrant details were publicly available.

Tracing the Footprint of a Public Registrant Email Address

Using Reverse WHOIS Search, we found 218 domains sharing the same public registrant email address as change-land[.]com. More than 5% of these WHOIS-connected artifacts were malicious.

An example is chrome-update-google[.]com. Although it no longer resolves, the domain hosted the following content back in 2021:

Still, some connected domains continued to host content as of this writing. A few examples include these domains that also shared the same registrant email address as change-land[.]com:

Of the 218 WHOIS-connected artifacts, 21 continued to actively resolve to 18 unique IP addresses. Bulk IP Geolocation further revealed that a majority of these resolutions could be traced to Russia, like the C&C server IP address 31[.]184[.]254[.]115.

Another similarity between the artifacts’ IP geolocation data and that of IoC 31[.]184[.]254[.]115 was that most of them had Selectel as their ISP.

Other ISPs identified include Alibaba, Dolgova Alena Andreevna, Hosting Technology Ltd., and Cloud Assets LLC.

Digging for More WHOIS Connections

The similarities in IP geolocation and ISP among the IoCs and artifacts led us to examine their domain infrastructures to find more associations.

Subjecting the WHOIS-connected artifacts to a bulk WHOIS lookup allowed us to find that the registrant used the name server a.dnspod[.]com|c[.]dnspod[.]com for almost all the domains. Most of the domains’ registrar was also REG.RU LLC.

We used these WHOIS data points as search strings on Reverse WHOIS Search to retrieve more possible artifacts, specifically those created between 1 January and 22 February 2023. The tool returned 34 domains, including typosquatting properties targeting Slack, Evri, the Bank of America, and crypto wallet Trezor.

Moreover, a malware check on the properties revealed that a few of the recently registered domains had already figured in malicious campaigns.

Uncovering Recently Added String-Connected Artifacts

Most of the malicious artifacts we found contained the string update, used alongside bank, wallet, and Google. To find additional artifacts bearing these string combinations, we used Domains & Subdomains Discovery and limited our search to domains added between 1 January and 22 February 2023.

We found 27 domains, more than half of which hosted live content. Below are a few examples.

Note that update-bankid-no[.]com and commbank-update-au[.]com have already been reported as malicious, along with four other recently registered string-connected artifacts.


One SocGholish IoC led us to hundreds of additional suspicious domains, some of which fit the bill of the threat’s fake update tactic. We did that by looking for recurring patterns in their IP geolocations, ISPs, name servers, registrars, and text strings.

If you wish to perform a similar investigation or get access to the complete data behind this research, please don’t hesitate to contact us.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Brand Protection

Sponsored byCSC

DNS

Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPv4.Global

New TLDs

Sponsored byRadix

Domain Names

Sponsored byVerisign

Cybersecurity

Sponsored byVerisign