TA569: SocGholish and Beyond
- TA569 leverages many types of injections, traffic distribution systems (TDS), and payloads including, but not limited to, SocGholish.
- In addition to serving as an initial access broker, these additional injects imply TA569 may be running a pay-per-install (PPI) service
- TA569 may remove injections from compromised websites only to later re-add them to the same websites.
- There are multiple opportunities for defense against TA569: educating users about the activity, using Proofpoint’s Emerging Threats ruleset to block the payload domains, and blocking .js files from executing in anything but a text editor.
In a previous Proofpoint report, Proofpoint described the SocGholish threat and how it is delivered via email.
That is, the URLs that lead to the threat are typically legitimate and distributed via benign automated emails and lead to otherwise “friendly” websites (those that were not designed with malicious intent). The emails can be newsletters or from aggregate services like Google Alerts or a URL that was sent from one user to another.
TA569 is considered by Proofpoint to be an initial access broker (IAB), or an independent cybercriminal actor who infiltrates major targets and then sells access to other groups to deliver follow-on payloads such as ransomware. In addition to being an IAB, TA569 is thought to leverage its extensive network of injections and infrastructure to offer a pay-per-install (PPI) service to other threat actors. This PPI service solicits payloads from customers and facilitates serving the downloads and infecting victims.
In this report, Proofpoint researchers describe the injections used by TA569 to distribute various payloads, as well as what an end-user will see when visiting a compromised website.
When the lure is clicked, a file is downloaded containing the malware payload. The filetype depends on the payload and includes .js, .zip, or .iso files among others. A user must execute the file for the malware to run on the host. These various RATs and information stealers, like SocGholish, can set the stage for follow-on malware infections, including ransomware.
What is an Injection?
Various implementations of injections have been observed but these implementations can be broadly categorized into three distinct categories that describe their flow.
The first category, referred to as Local (non-proxied), indicates that the entire injection is present on the page the victim is visiting and is executed on page load without dependency on any additional assets.
Figure 1: An example of an attack chain illustrating a local injection type resulting in SocGholish
Figure 2: An example of an attack chain illustrating a local proxied injection type resulting in SocGholish
The third category, referred to as Remote Proxied, involves the fragmentation of the injection code over two or more domains. This method is achieved through an asynchronous request to a separate domain that contains the complete injection. The use of multiple domains makes this method more challenging for security measures to detect.
Figure 3: An example of an attack chain illustrating a remote proxied injection type resulting in SocGholish
TA569 has been frequently documented as reinfecting websites that have undergone remediation for malicious injections. It is hypothesized that TA569 may use a technique referred to as “strobing” by Proofpoint researchers. Strobing involves the cyclical removal and readdition of injections to previously compromised websites, with the duration of removal ranging from hours to days and potentially repeating multiple times per day or over longer periods.
The underlying reason for this behavior remains uncertain, but it could be attributed to the workflow involved in the addition of new or differing injections to meet customer agreements or campaign goals, or to generate the illusion of a “clean” website and the possibility of false positive condemnations. This also presents challenges for incident response efforts, as the malicious injections may not be visible at all times.
Figure 4: Injection Strobing on a single host
The threat actor TA569 has been observed to employ various injection methods for the deployment of its payloads. These injections can be classified into two main categories, with occasional exceptions. The first category encompasses injections that result in the delivery of SocGholish payloads. The second category includes injections that lead to the deployment of payloads other than SocGholish, referred to as Scriptzzbn injections. It should be noted that Scriptzzbn injections have also been used for the delivery of SocGholish injections, which in turn lead to SocGholish payloads.
SocGholish type injections exhibit a higher degree of selective criteria compared to other payload injections. The delivery of the lure to the end-user is contingent upon the victim’s environment meeting specific requirements. For instance, if the host is not running on Windows, has already been served a lure (according to IP and other cookies), or if the user’s browser contains a cookie indicating a WordPress administrator login, the lure for the SocGholish “Fake Update” payload will not be delivered, terminating the attack. This filtering is achieved through the utilization of a Traffic Directing Service (TDS) to guarantee that the payloads are delivered to suitable environments.
The injections employed by TA569 are routed through a diverse range of Traffic Distribution Services (TDS), also known as Traffic Directing System/Service. A TDS is a technology stack that enables its operators to develop complex and dynamic flows of web traffic, with both legitimate and malicious uses. TA569 leverages the capabilities of TDS platforms to direct victims through attacker-controlled infrastructure. TDS platforms are commercially available, open source, pirated, or privately developed, each offering unique features. TA569 has been observed using multiple TDS platforms.
SocGholish Injection Varieties
SocGholish injections have leveraged a variety of obfuscation routines in an effort to thwart detection and complicate analysis. Such varieties include single or double base64 encoding portions of the injection, reversing strings, padding strings with extra characters resulting in a need to skip every other character to derive the true value, as well as several different versions employing line breaks and variations in the size of variables. These coupled with the options afforded by injection deployment categories create a formidable battery of possible combinations.
Figure 5: An example of the SocGholish injection format as of November 2022.
Figure 6: An example of the SocGholish”mod2” injection.
SocGholish payloads are dynamically generated with data points about the victim being an input. This dynamic generation essentially locks each payload to each victim causing the payload to be rendered useless if it is moved to a different environment for analysis. Additionally, each payload is keyed to a specifically prefixed subdomain for command and control (C2) communication. Attempting to interact with a previously observed C2 domain with a known prefix will result in a closed connection.
The first step of a SocGholish payload will reach out to the C2 server for further instructions. If a payload “passes” the initial challenges, it will get a response from the C2 server with instructions to “fingerprint” the host it is running on and relay that information back. Depending on the host information, the C2 server will send another response to drop a RAT, execute additional host analysis to later drop an intrusion framework, or terminate the running process.
Figure 7: The SocGholish Payload
The name “Sczriptzzbn” is taken from a string present in the inject. The Sczriptzzbn injection is crude in comparison to the SocGholish injection. It is used for deploying various types of commodity malware, including remote access Trojans (RATs) and information stealers. The lures employed by this technique are of are not as polished as those used by SocGholish and are generally less professional in appearance. The lures are diverse in subject matter, ranging from fake DDoS protection captchas, captchas that cannot be solved, to simple browser update pop-ups. The management of campaigns and the evaluation of efficacy in the Sczriptzzbn injection technique is facilitated by a TDS namely zTDS, but only a few of the defensive measures present in the platform have been incorporated.
Figure 8: A fake Cloudflare (distributed denial of service) DDOS protection popup distributed by a Sczriptzzbn inject.
Figure 9: A notably lower quality variant of the “fake update” lure leading to NetSupport RAT distributed by the Sczriptzzbn inject.
Figure 10: A portion of the captcha lure distributed by the Scriptbzzbn inject.
Figure 11: Example of a TA569 telephone-oriented attack delivery (TOAD)-based fake security alert.
TA569 has been observed engaging in the deployment of various forms of malware, including information stealers and RATs. This behavior is believed to be facilitated by TA569’s Pay-Per-Install (PPI) business model. The commodity RATs and stealers that have been observed to be deployed by TA569 include, but are not limited to, NetSupport RAT, Redline Stealer, SolarMarker, and IcedID. Furthermore, it has been documented that TA569 delivers telephone-oriented attack delivery (TOAD) lures that are disguised as security alerts. The format of the delivered payloads can vary, with some being served as compressed executables and others being served as executables within an .iso file. The naming of these files often reflects a common theme of “update.”
Since 26 November 2022, Sczriptzzbn injects have not delivered commodity malware as a first-stage payload, and all injections now deliver a subsequent SocGholish injection ultimately leading to delivery of the SocGholish payload.
Mistakes, Co-deployment, and Attribution
In August 2022, Proofpoint observed that TA569 began deploying the NetSupport RAT as the initial payload through the Sczriptzzbn injection method. The hosting infrastructure of the injection leading to the NetSupport RAT payload was also noted to have simultaneously served SocGholish injections during this period.
This convergence of infrastructure created suspicion that the SocGholish and Sczriptzzbn clusters may both be attributed to TA569. Ultimately the shift from the delivery of commodity malware through Sczriptzzbn injections to the delivery of SocGholish as of November 2022 solidified this attribution.
With regards to motivation, Proofpoint researchers hypothesize that the use of Sczriptzzbn and its associated payloads may be a strategic move by TA569 to expand their business offerings and establish themselves not only as an Initial Access Broker (IAB) but also as a player in the Pay-Per-Install (PPI) market.
Figure 12: A diagram showing the two distinct business lines of TA569 and their applicable injects and payloads.
Figure 13: On 09 August 2022, TA569 accidentally injected all their SocGholish injects and a new NetSupport RAT Sczriptzzbn inject on the same domain.
The Proofpoint Emerging Threats team has developed effective prevention strategies for TA569 and SocGholish infections. The team publishes domain rules for actor-controlled domains, which can be used through Snort and Suricata or as standalone downloads for usage in other tools. By monitoring and blocking these domains, organizations can prevent the download of malware payloads and thus disrupt the attack before it reaches end users.
An effective preventive measure against a SocGholish infection is the monitoring of .js files that are either downloaded or unzipped. Additionally, blocking .js files from executing in anything but a text editor will prevent the malicious files from executing once they have been downloaded. Implementing these simple yet powerful steps can help organizations protect themselves from the harmful consequences of a SocGholish attack.
To protect against TA569 and its related malware, defenders should remain vigilant in their evaluation of alerts, even in the face of what may appear to be false positives. This high-volume threat has the potential to infect a vast number of websites, including those belonging to high-traffic media outlets and other reputable, trusted sources.
It is crucial that organizations educate their end users about the tricks and lures used by this actor, and to maintain a critical eye in the face of any suspicious activity.
Figure 14: SocGholish Overview
Figure 15: SocGholish Stage_1: TDS
Figure 16: SocGholish Stage_1: Initial Domain
Figure 17: SocGholish Stage_1 Injection
Figure 18: SocGholish Stage_2: Payload Host
Figure 19: SocGholish Stage_3: Payload Execution and C2
Figure 20: SocGholish Stage_4: Follow On
Indicators of Compromise
Static Stage 1:
Stage 2 (Shadowed Domains):
- “sczriptzzbn inject pushes malware for NetSupport RAT” https://isc.sans.edu/diary/sczriptzzbn%20inject%20pushes%20malware%20for%20NetSupport%20RAT/29170 -Brad Duncan (@malware_traffic on twitter)
- “Fake DDoS Pages On WordPress Sites Lead to Drive-By-Downloads” https://blog.sucuri.net/2022/08/fake-ddos-pages-on-wordpress-lead-to-drive-by-downloads.html – Ben Martin
- “To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions” https://www.mandiant.com/resources/blog/unc2165-shifts-to-evade-sanctions – Mandiant Intelligence
- “WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group” https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/ -Stefano Antenucci