eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Starting in early August 2022 and continuing through the month, eSentire identified a significant increase in Socgholish (aka. FakeUpdates) malware incidents. Socgholish is a loader type malware that is capable of performing reconnaissance activity and deploying secondary payloads including Cobalt Strike. The operators of Socgholish function as initial access brokers; other threat actors can leverage this service to gain entry into victim organizations.
Socgholish is a high priority threat as the malware has been observed leading to the deployment of various types of ransomware. The eSentire Threat Intelligence team assesses with high confidence that there is an ongoing Socgholish malware campaign, and the activity will continue in the immediate future.
What we’re doing about it
eSentire MDR for Endpoint has rules in place to detect Socgholish
eSentire MDR for Network has rules in place to detect Socgholish
Known attacker infrastructure has been blocked via eSentire’s global deny list
The eSentire Threat Intelligence team will continuing to track this threat for additional details and detection opportunities
eSentire has a wide variety of detections in place to identify common second-stage payloads such as Cobalt Strike
What you should do about it
Educate employees on the threat of Socgholish and the wider risks associated with unsolicited software updates while browsing the web
Ensure standard procedures are in place for employees to submit potentially malicious content for review
Employ an Endpoint Detection and Response (EDR) tool to help detect, isolate, and remediate cyber threats
Ensure Anti-Virus signatures are up to date
Additional information
As Socgholish has a history of being used for initial access into victim organizations for other threat actors, prevention and the rapid identification and remediation of the threat is critical. In recently observed incidents, the malware is delivered via drive-by social engineering attacks, where compromised websites redirect end-users to fake software update pages. Fake update pages are generally themed as web browser updates; the attacker-controlled page checks the user’s browser and displays a fake update that corresponds with the specific browser (Figure 1). The malware is delivered as a .zip file containing a script file; user execution of the malicious file is required for successful malware deployment.
Socgholish has also been identified being deployed as a secondary payload for other malware. According to a report from Microsoft, the Raspberry Robin worm has been observed deploying Socgholish in recent attacks.
Incidents involving Socgholish may progress rapidly. eSentire has observed
Socgholish leading to the deployment of the Cobalt Strike red team tool within 10 minutes of the initial compromise occurring (Figure 2). Cobalt Strike allows threat actors to prepare for ransomware deployment by escalating privileges and moving laterally in the victim environment. Recent ransomware payloads, delivered through Socgholish, include LockBit and WastedLocker.
Cookies allow us to deliver the best possible experience for you on our website - by continuing to use our website or by closing this box, you are consenting to our use of cookies. Visit our Privacy Policy to learn more.
