The eSentire’s Threat Response Unit (TRU) discovered a sophisticated cyberattack campaign linking SocGholish (also known as FakeUpdates) malware to affiliates of the notorious RansomHub ransomware group. This operation showcases how attackers are combining initial access malware with highly targeted backdoor deployments to compromise corporate networks.
The infection chain began when victims visited a compromised WordPress site, butterflywonderland[.]com, which prompted them to download a fake Microsoft Edge update in the form of “Update.zip.” This archive contained a malicious JScript file, Update.js, designed to communicate with SocGholish command-and-control (C2) infrastructure.
As eSentire explained: “The purpose of this script is to send a POST request to the SocGholish C2… to retrieve the next stage and execute it via the eval() function.”
Once initial access was established, SocGholish gathered system information, including domain details, usernames, computer names, and processor architecture. The malware also executed LOLBins like net.exe and systeminfo to enumerate network connections and system configurations, transmitting this intelligence back to its C2 server.
One of the more insidious aspects of this campaign was the attackers’ strategic target evaluation. Instead of deploying ransomware indiscriminately, they first collected reconnaissance data to select high-value targets. eSentire noted:
“The primary objective of this reconnaissance activity appears to be enabling threat actors to strategically select their targets while effectively evading security researchers and sandbox environments.”
Approximately 6.5 minutes after initial communication, the attackers delivered a Python backdoor via a second-stage payload. The backdoor was deployed through a technique:
- Renaming and unpacking a zip archive named python3.12.zip.
- Installing it persistently via a scheduled task using pythonw.exe.
The backdoor, obfuscated within a file called fcrapvim.pyz, employed multiple encryption layers (Base85, AES-GCM, AES-CTR, ChaCha20, and Blake3/XOR) to conceal its stages.
The final stage of the malware connected to a threat actor server at 38.146.28[.]93, enabling:
- Proxying victim network traffic to the attackers via SOCKS.
- Remote command execution.
- Facilitating lateral movement within compromised environments.
The Python backdoor included sophisticated anti-analysis features. As eSentire reported: “First, the script checks the victim machine’s platform name for the substrings, ‘vm’ or ‘virtual’. If the substrings are found, the script exits.”
Additional checks aimed to detect debugging attempts, causing the malware to terminate or raise exceptions if a debugger was found active.
Organizations must stay vigilant, hardening systems against both initial access vectors like SocGholish and post-compromise lateral movement tactics.