One Article Review
| Source |  AlienVault Lab Blog |
|---|---|
| Identifiant | 7526702 |
| Date de publication | 2022-10-17 10:00:00 (vue: 2022-10-17 10:06:42) |
| Titre | Stories from the SOC: Feeling so foolish – SocGholish drive by compromise |
| Texte | Executive summary:
SocGholish, also known as FakeUpdate, is a JavaScript framework leveraged in social engineering drive by compromises that has been a thorn in cybersecurity professionals’ and organizations’ sides for at least 5 years now. Upon visiting a compromised website, users are redirected to a page for a browser update and a zip archive file containing a malicious JavaScript file is downloaded and unfortunately often opened and executed by the fooled end user.
An AT&T Managed Extended Detection and Response (MXDR) client with Managed Endpoint Security (MES) powered by SentinelOne (S1) received an alert regarding the detection and mitigation of one of these JavaScript files. The MXDR Threat Hunter assigned to this client walked them through the activity resulting from the execution of the malicious file, as well as provide additional guidance on containment and remediation of the host involved in the incident.
Investigation
Upon detection of the follow up activity of the malicious file executed by the end user, S1 created an Incident within the S1 portal. This in turn creates an Alarm within the USM Anywhere platform, where the MXDR SOC team works, reviews, and creates Investigations for client notification as necessary. Since this activity was observed all within S1, this analysis will be out of there.
The best way to start looking into a S1 event is to go to the Storyline of the Incident within Deep Visibility.
Once we have all the events related to the Incident, we can also create a new Deep Visibility search for all activity related to the affected host from about an hour before right up to the first event for the incident. This will let us try to see what happened on the host that lead to the execution of the malicious JavaScript file.
Reviewing the events from both the overall logs on the host and the events related to the Storyline, we can build out a rough timeline of events. Note there are close to 15k events on the host in the timeframe and 448 events in total in the Storyline; I’m just going over the interesting findings for expediency sake.
12:07:08 The user is surfing on Chrome and using Google search to look up electricity construction related companies; we see two sites being visited, with both sites being powered by WordPress. The SocGholish campaign works by injecting malicious code into vulnerable WordPress websites. While I was unable to find the injected code within the potentially compromised sites, I see that one of the banners on the page contains spam messages; while there are no links or anything specifically malicious with this, it lets us know that this site is unsafe to a degree.
12:10:46 The user was redirected to a clean[.]godmessagedme[.]com for the initial download. It likely would have looked like this:
We can assume the URI for the request looks like the /report as seen in VirusTotal and described in open-source intelligence (OSI). Note that the subdomain “clean” has a different resolution than the root domain; this is domain shadowing performed by the attackers by creating a new A-record within the DNS settings of the legitimate domain:
12:12:19 Chrome creates on disk: “C:\Users\[redacted]\Downloads\Сhrome.Updаte.zip”.
12:13:11 User has opened the zip |
| Envoyé | Oui |
| Condensat | Сhrome “c: “hide “jdg “rad0a08f “rad6598e “raddcadf /dclist: /domain /report /settingscheck /updateresource 12:07:08 12:10:46 12:12:19 12:13:11 12:13:15 12:13:20 12:13:23 12:13:24 12:31:36 12:34:19 12:37:36 12:48:39 12:49:11 15k 448 81654ee8 about across actions activity adapter additional address addresses affected again against alarm alert all also analysis antispyware anything anywhere appdata application archive are asked assigned assistance association assume at&t attack attacker attackers attacks attacks: autoupdater banners base because been before being best bios blocked blocking blocklisted both browser build but cab call campaign can cannot center certainties chance check chrome clean clicked client close cmd code collected com com/settingscheck com/updateresource command commands common companies; compromise compromised compromises computer consider construction contain containing containment contains context controller course create created creates creating creation credentials customer cybersecurity data death deep degree described detection different directly disk: dns domain domain: domain; domains double down download downloaded downloads drive edr educate electricity employee employees end endpoint ends engineering environment errors especially etc evaluate event events exe exe” exe: executable executables execute: executed executing execution executive exfiltration expediency extended extension extension” fake fakeupdate feeling file file: files find findings firewall first flying folder folders follow followed following follows fooled foolish format formats framework from godmessagedme goes going google great group guidance happened has hash hashes have help here higher host hostnames hour hunter hxxps://2639 i’m icon implement incident infections information initial injected injecting inside inside: intelligence interaction interesting investigation investigations involved iso javascript jdg js” just know known lead least legitimate let lets leveraged leveraged: life like likely line links local logs look looked looking looks mac malicious managed manipulation manufacturer matching mes messages messages; mitigation mix moot more music mxdr name necessary network new nltest nltrust not note notification notified now observed observed: off often once one only open opened operating organization organization’s organizations organizations’ osi other others out over overall page parent partnering path performed phishing pictures pivoting platform point policy portal post posted potential potentially powered prevent prevented previous process product professionals’ programdata promptly protect protecting provide provided proxy public pull question rad6598e rebuilt received recognize recommendations record redacted redirected reduce regarding related remediation removed removing rename renamed request requests reset resolution response resulting results reviewing reviews right roles root rough rules run running sake same savvy script search security see seen sentinelone server service setting settings shadowing sides since site sites soc soc: socgholish social software sorts source spam specifically start status steps stories storyline storyline; stream subdomain such summary: surface: surfing system take taxes team telling temp temp1 than them then thepowerofgodswhisper these thing this: thorn threat through through: timeframe timeline tmp tmp” tools total trickery triggers trusts try turn two unable uncommon uncommonly unfortunately unlikely unsafe updаte update updates upon uri uri: uris url used user user’s username users using usm version versus virustotal vishing visibility visited visiting vulnerable walked way website websites well what when where which whoami will within wordpress works would written wscript wsf years yields your zip zip” |
| Tags | Spam Threat Guideline |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.