Operation Endgame Disrupts SocGholish Servers, Cleans 14,971 WordPress Sites

Dutch law enforcement authorities, along with counterparts from Canada , Germany, and the U.S., have disrupted malicious infrastructure associated with SocGholish and cleaned up nearly 15,000 infected WordPress websites. "With these actions we deprive cybercriminals of access to infected computer...

RomCom Uses SocGholish Fake Update Attacks to Deliver Mythic Agent Malware

The threat actors behind a malware family known as RomCom targeted a U.S.-based civil engineering company via a JavaScript loader dubbed SocGholish to deliver the Mythic Agent. "This is the first time that a RomCom payload has been observed being distributed by SocGholish," Arctic Wolf Labs...

SocGholish Malware Using Compromised Sites to Deliver Ransomware

New research on SocGholish FakeUpdates reveals how this MaaS platform is used by threat actors like Evil Corp and RansomHub to compromise websites, steal data, and launch high-impact attacks on healthcare and businesses worldwide...

SocGholish Malware Spread via Ad Tools; Delivers Access to LockBit, Evil Corp, and Others

The threat actors behind the SocGholish malware have been observed leveraging Traffic Distribution Systems TDSs like Parrot TDS and Keitaro TDS to filter and redirect unsuspecting users to sketchy content. "The core of their operation is a sophisticated Malware-as-a-Service MaaS model, where...

SocGholish’s Intrusion Techniques Facilitate Distribution of RansomHub Ransomware

Trend Research analyzed SocGholish’s MaaS framework and its role in deploying RansomHub ransomware through compromised websites, using highly obfuscated JavaScript loaders to evade detection and execute various malicious tasks...

SocGholish’s Intrusion Techniques Facilitate Distribution of RansomHub Ransomware

Trend Research analyzed SocGholish’s MaaS framework and its role in deploying RansomHub ransomware through compromised websites, using highly obfuscated JavaScript loaders to evade detection and execute various malicious tasks...

Python-Based Malware Powers RansomHub Ransomware to Exploit Network Flaws

Cybersecurity researchers have detailed an attack that involved a threat actor utilizing a Python-based backdoor to maintain persistent access to compromised endpoints and then leveraged this access to deploy the RansomHub ransomware throughout the target network. According to GuidePoint Security...

A week in security (December 9 – December 15)

Last week on Malwarebytes Labs: Encrypted messaging service intercepted, 2.3 million messages read by law enforcement TikTok ban in US: Company seeks emergency injunction to prevent it Data brokers should stop trading health and location data, new bill proposes Update now! Apple releases new...

Malicious ad distributes SocGholish malware to Kaiser Permanente employees

On December 15, we detected a malicious campaign targeting Kaiser Permanente employees via Google Search Ads. The fraudulent ad masquerades as the health care company's HR portal used to check for benefits, download paystubs and other corporate related tasks. We believe the threat actors' intent...

SocGholish Malware Exploits BOINC Project for Covert Cyberattacks

The JavaScript downloader malware known as SocGholish aka FakeUpdates is being used to deliver a remote access trojan called AsyncRAT as well as a legitimate open-source project called BOINC. BOINC, short for Berkeley Open Infrastructure Network Computing Client, is an open-source "volunteer...

New BLISTER Malware Update Fuelling Stealthy Network Infiltration

An updated version of a malware loader known as BLISTER is being used as part of SocGholish infection chains to distribute an open-source command-and-control C2 framework called Mythic. "New BLISTER update includes keying feature that allows for precise targeting of victim networks and lowers...

Exploring New Techniques of Fake Browser Updates Leading to NetSupport RAT

Exploring New Techniques of Fake Browser Updates Leading to NetSupport RAT By Jonell Baltazar and Antonio Ribeiro · August 10, 2023 Trellix detected an ongoing campaign using fake Chrome browser updates to lure victims to install a remote administration software tool called NetSupport Manager...

FakeSG enters the 'FakeUpdates' arena to deliver NetSupport RAT

Over 5 years ago, we began tracking a new campaign that we called FakeUpdates also known as SocGholish that used compromised websites to trick users into running a fake browser update. Instead, victims would end up infecting their computers with the NetSupport RAT, allowing threat actors to gain...

New Flaw in WordPress Plugin Used by Over a Million Sites Under Active Exploitation

A security vulnerability has been disclosed in the popular WordPress plugin Essential Addons for Elementor that could be potentially exploited to achieve elevated privileges on affected sites. The issue, tracked as CVE-2023-32243, has been addressed by the plugin maintainers in version 5.7.2 that...

Cybercriminals Targeting Law Firms with GootLoader and FakeUpdates Malware

Six different law firms were targeted in January and February 2023 as part of two disparate threat campaigns distributing GootLoader and FakeUpdates aka SocGholish malware strains. GootLoader, active since late 2020, is a first-stage downloader that's capable of delivering a wide range of seconda...

Researchers Find Counterfeit Phones with Backdoor to Hack WhatsApp Accounts

Budget Android device models that are counterfeit versions associated with popular smartphone brands are harboring multiple trojans designed to target WhatsApp and WhatsApp Business messaging apps. The malware, which Doctor Web first came across in July 2022, were discovered in the system partiti...

MakeMoney malvertising campaign adds fake update template

Malware authors and distributors are following the ebbs and flow of the threat landscape. One campaign we have tracked for a numbers of years recently introduced a new scheme to possibly completely move away from drive-by downloads via exploit kit. In this quick blog post, we will look at this ne...

Thwarting Loaders: From SocGholish to BLISTER’s LockBit Payload

Both BLISTER and SocGholish are loaders known for their evasion tactics. Our report details what these loaders are capable of and our investigation into a campaign that uses both to deliver the LockBit ransomware...