|
As all initial-access threats go, SocGholish is among the trickiest. It often comes disguised as software updates, deceiving victims into downloading a malicious payload that could eventually lead to more lethal cyber attacks. In fact, researchers at ReliaQuest found evidence that an initial SocGholish malware distribution was intended to deploy ransomware.
The researchers also listed six indicators of compromise (IoCs) in the form of command-and-control (C&C) domains and IP addresses. We mapped the footprints of these IoCs using domain, IP, and DNS intelligence and found that:
A sample of the additional artifacts obtained from our analysis is available for download from our website.
ReliaQuest listed the following properties as IoCs involved in the SocGholish distribution activities they detected:
These IoCs combined SocGholish and Cobalt Strike C&C servers since threat actors used the latter for post-exploitation. At any rate, these web properties could still be tied to the same malicious actor.
The historical WHOIS data of these digital resources, including the root domains of the subdomains tagged as IoCs, revealed the following:
IoC | Creation Date of the Root Domain | Registrar | Registrant |
---|---|---|---|
taxes[.]rpacx[.]com | 10 March 2009 | FastDomain Inc. | Redacted for privacy since 2019, with one historical public email address currently connected to one domain |
*.signing[.]unitynotarypublic[.]com | 29 September 2021 | Launchpad.com Inc. | Redacted for privacy since its creation |
*.asset[.]tradingvein[.]xyz | 22 December 2022 | Namecheap | Redacted for privacy since its creation |
change-land[.]com | 26 January 2022 | REG.RU LLC | Unredacted, with one public email address currently connected to 218 domains |
Regardless of the method by which the threat actors controlled the subdomains, they used a combination of old and recently registered domains as C&C servers.
As for the IP addresses tagged as IoCs, these are their details based on IP Geolocation API:
IoC | IP Geolocation | ISP | Resolution Status |
---|---|---|---|
88[.]119[.]169[.]108 | Šiauliai County, Lithuania | Informacines Sistemos Ir Technologijos, UAB | No resolutions or domain connections |
31[.]184[.]254[.]115 | Sankt-Peterburg, Russia | Selectel | Connected to one domain (change-land[.]com) |
Profiling the IoCs in the previous section helped us determine which data points to pursue. We focused on change-land[.]com for the following IoC expansion analysis since its registrant details were publicly available.
Using Reverse WHOIS Search, we found 218 domains sharing the same public registrant email address as change-land[.]com. More than 5% of these WHOIS-connected artifacts were malicious.
An example is chrome-update-google[.]com. Although it no longer resolves, the domain hosted the following content back in 2021:
Still, some connected domains continued to host content as of this writing. A few examples include these domains that also shared the same registrant email address as change-land[.]com:
Of the 218 WHOIS-connected artifacts, 21 continued to actively resolve to 18 unique IP addresses. Bulk IP Geolocation further revealed that a majority of these resolutions could be traced to Russia, like the C&C server IP address 31[.]184[.]254[.]115.
Another similarity between the artifacts’ IP geolocation data and that of IoC 31[.]184[.]254[.]115 was that most of them had Selectel as their ISP.
Other ISPs identified include Alibaba, Dolgova Alena Andreevna, Hosting Technology Ltd., and Cloud Assets LLC.
The similarities in IP geolocation and ISP among the IoCs and artifacts led us to examine their domain infrastructures to find more associations.
Subjecting the WHOIS-connected artifacts to a bulk WHOIS lookup allowed us to find that the registrant used the name server a.dnspod[.]com|c[.]dnspod[.]com for almost all the domains. Most of the domains’ registrar was also REG.RU LLC.
We used these WHOIS data points as search strings on Reverse WHOIS Search to retrieve more possible artifacts, specifically those created between 1 January and 22 February 2023. The tool returned 34 domains, including typosquatting properties targeting Slack, Evri, the Bank of America, and crypto wallet Trezor.
Moreover, a malware check on the properties revealed that a few of the recently registered domains had already figured in malicious campaigns.
Most of the malicious artifacts we found contained the string update, used alongside bank, wallet, and Google. To find additional artifacts bearing these string combinations, we used Domains & Subdomains Discovery and limited our search to domains added between 1 January and 22 February 2023.
We found 27 domains, more than half of which hosted live content. Below are a few examples.
Note that update-bankid-no[.]com and commbank-update-au[.]com have already been reported as malicious, along with four other recently registered string-connected artifacts.
One SocGholish IoC led us to hundreds of additional suspicious domains, some of which fit the bill of the threat’s fake update tactic. We did that by looking for recurring patterns in their IP geolocations, ISPs, name servers, registrars, and text strings.
If you wish to perform a similar investigation or get access to the complete data behind this research, please don’t hesitate to contact us.
Sponsored byCSC
Sponsored byDNIB.com
Sponsored byWhoisXML API
Sponsored byIPv4.Global
Sponsored byRadix
Sponsored byVerisign
Sponsored byVerisign