CyberSecurityBoard
Sponsor Register Login

SocGholish Attacks Enterprises Via Fake Browser Updates

Enterprises are being targeted by the malware known as SocGholish through deceptive browser update prompts.
This malware, notorious for its stealth and the complexity of its delivery mechanisms, has been identified in a series of incidents involving fake browser updates that trick users into downloading malicious payloads.
ESentire has recently published a report highlighting the infiltration of enterprises by the SocGholish malware.
This malware is spreading through fake browser updates and is causing significant security concerns for organizations.
The initial stage of the SocGholish attack involves compromising legitimate websites, where attackers inject malicious JavaScript code.
Unsuspecting users visiting these websites receive pop-up notifications urging them to download browser updates.
The SocGholish malware employs sophisticated evasion techniques to avoid detection by automated analysis tools.
The malware halts further actions if detected, effectively evading automated security analysis.
It employs a multi-stage infection process, beginning with the execution of obfuscated JavaScript code that further downloads additional malicious scripts based on user interaction and specific conditions, such as detecting WordPress cookies indicating an admin session.
Staging the credential data under another user is likely done for redundancy in case the main files are discovered.
The threat players then tried to use PowerShell to run a command encoded in base64.
Using the DPAPI, the decoded command gets Edge and Chrome's encryption keys for passwords and cookies and decrypts them.
The bad guys then used Powershell to run a base64-encoded command that changed the HTML signature files that Microsoft Outlook uses.
These shortcuts will be created in the network share using the last command.
The destination path takes you to the network share's location.
This is because every time the link files are opened, the C2 server is requested to get the icon file.
The SocGholish intrusion campaign used fake updates and social engineering to get inside.
They then used scripted actions to get private data and watch how users interacted with the site.
The SocGholish malware campaign underscores the critical importance of vigilance and cybersecurity hygiene in the face of increasingly sophisticated social engineering attacks.
By adopting recommended security measures and fostering a culture of awareness, enterprises can significantly mitigate the risk of falling victim to such deceptive tactics.


This Cyber News was published on gbhackers.com. Publication date: Thu, 09 May 2024 14:43:06 +0000


Cyber News related to SocGholish Attacks Enterprises Via Fake Browser Updates

SocGholish Attacks Enterprises Via Fake Browser Updates - Enterprises are being targeted by the malware known as SocGholish through deceptive browser update prompts. This malware, notorious for its stealth and the complexity of its delivery mechanisms, has been identified in a series of incidents involving ...
1 year ago Gbhackers.com
Beware of Malicious Browser Updates That Installs SocGholish Malware - SocGholish malware follows a multi-layered infection chain, beginning with a user visiting a compromised website that displays a fake browser update notification. SocGholish is a JavaScript-based loader malware that uses a complex infection chain ...
4 months ago Cybersecuritynews.com
Fake Browser Updates Used in Malware Distribution - Cybersecurity researchers from Proofpoint have identified a rising trend in threat activity that employs fake browser updates to disseminate malware. At least four distinct threat clusters have been tracked utilizing this deceptive tactic. Fake ...
1 year ago Infosecurity-magazine.com
Fake browser updates spread updated WarmCookie malware - The latest campaign was discovered by researchers at Gen Threat Labs, who observed the WarmCookie backdoor being distributed as fake Google Chrome, Mozilla Firefox, Microsoft Edge, and Java updates. FakeUpdate is a cyberattack strategy used by a ...
8 months ago Bleepingcomputer.com
SocGholish Leveraging Compromised Websites To Deploy RansomHub Ransomware - Security experts recommend implementing robust web filtering solutions, keeping browsers updated, and training users to recognize fake update notifications as critical mitigation strategies against this evolving threat. The infection begins when ...
3 months ago Cybersecuritynews.com Ransomhub
EvilCorp & RansomHub Working Together to Attack Organizations Worldwide - The attack progression typically follows a pattern of initial SocGholish infection, deployment of the VIPERTUNNEL backdoor, lateral movement through the network, data exfiltration, and finally, RansomHub ransomware deployment. Microsoft first ...
2 months ago Cybersecuritynews.com Ransomhub LockBit
The Fake Browser Update Scam Gets a Makeover - One of the oldest malware tricks in the book - hacked websites claiming visitors need to update their Web browser before they can view any content - has roared back to life in the past few months. New research shows the attackers behind one such ...
1 year ago Krebsonsecurity.com
Omdia: Standalone Security Products Outsell Cybersecurity Platforms - In its many briefings with cybersecurity vendors, one of the most consistent themes Omdia hears is why enterprises need cybersecurity platforms. Instead, vendors claim, enterprises could get better outcomes if they give up their multitude of ...
1 year ago Darkreading.com
Hackers Inject FrigidStealer Malware on Your macOS Via Fake Browser Updates - This division of labor allows TA2726 to handle website compromises and traffic filtering, while TA2727 deploys tailored payloads, including FrigidStealer for macOS, Lumma Stealer for Windows, and Marcher banking trojan for Android. Cybersecurity firm ...
4 months ago Cybersecuritynews.com
Fake Browser Updates Targeting Mac Systems With Infostealer - A widely popular social engineering campaign previously only targeting Windows systems has expanded and is now using fake browser updates to distribute Atomic Stealer, a dangerous information stealer, to macOS systems. Experts say this could be the ...
1 year ago Darkreading.com
How Kasada Counters Toll Fraud and Fake Account Creation for Enterprises - Toll fraud and fake account creation are two advanced threats that bad actors employ for massive profit. Fake Account Creation is committed by a wide range of attackers, through automating the generation of new user accounts en masse, which then get ...
1 year ago Securityboulevard.com
9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
1 year ago Esecurityplanet.com
New Phishing Attack Using Browser-In-The-Browser Technique To Attack Gamers - This attack method creates a convincing fake browser pop-up window that tricks users into entering their Steam credentials, allowing cybercriminals to steal valuable gaming accounts and virtual items. Silent Push researchers noted this attack in ...
2 months ago Cybersecuritynews.com
Apple Releases Updates for Older Devices in 2021 - Apple released updates to many of its older devices in 2021, including the iPhones, iPads, and Macs. The updates are to address security vulnerabilities that were discovered in the company's older devices. Apple has previously released several ...
2 years ago Thehackernews.com
Browser-in-the-Browser attacks target CS2 players' Steam accounts - A new phishing campaign targets Counter-Strike 2 players utilizing Browser-in-the-Browser (BitB) attacks that display a realistic window that mimics Steam's login page. Basically, this phishing technique creates fake browser windows within real ...
2 months ago Bleepingcomputer.com
Deepfake attacks will cost $40 billion by 2027 - Now one of the fastest-growing forms of adversarial AI, deepfake-related losses are expected to soar from $12.3 billion in 2023 to $40 billion by 2027, growing at an astounding 32% compound annual growth rate. Deloitte sees deep fakes proliferating ...
11 months ago Venturebeat.com
Browser security is the key to stopping ransomware attacks - These advanced attacks use adaptive and evasive tactics to bypass traditional security tools, infiltrate endpoints, spread through the network, and deliver their harmful payloads. Insufficient browser security is the main reason today's ransomware ...
1 year ago Securityboulevard.com
RansomHub Ransomware Deploying Malware to Compromise Corporate Networks - The downloaded “Update.zip” contains “Update.js,” a JScript file that sends a POST request to the SocGholish C2 server at “hxxps://exclusive.nobogoods[.]com/updateStatus” to retrieve the next stage of the attack. ...
1 month ago Cybersecuritynews.com Ransomhub
SquareX Discloses Browser-Native Ransomware that Puts Millions at Risk - As browsers become the new endpoint, it is crucial for enterprises to reconsider their browser security strategy – just as EDRs were critical to defend against file-based ransomware, a browser-native solution with a deep understanding of ...
2 months ago Cybersecuritynews.com
The Browser Blind Spot: Why Your Browser is the Next Cybersecurity Battleground - Security teams must integrate browser detection & response capabilities into their enterprise security stack to gain real-time visibility, detect browser-native threats, and protect people where they work. Just as EDR transformed endpoint ...
4 months ago Bleepingcomputer.com
SquareX to Uncover Data Splicing Attacks at BSides San Francisco, A Major DLP Flaw that Compromises Data Security of Millions - Titled “Data Splicing Attacks: Breaking Enterprise DLP from the Inside Out”, the talk will demonstrate multiple data splicing techniques that will allow attackers to exfiltrate any sensitive file or clipboard data, completely bypassing major Data ...
2 months ago Cybersecuritynews.com
Fake LastPass password manager spotted on Apple's App Store - LastPass is warning that a fake copy of its app is being distributed on the Apple App Store, likely used as a phishing app to steal users' credentials. The fake app uses a similar name to the genuine app, a similar icon, and a red-themed interface ...
1 year ago Bleepingcomputer.com
New Clearfake Variant Leverages Fake reCAPTCHA To Trick Users Deliver Malicious PowerShell Code - The infection flow begins with injected JavaScript on compromised websites, which retrieves malicious code from blockchain smart contracts, ultimately leading to the display of fake security challenges. The latest variant, discovered in December ...
3 months ago Cybersecuritynews.com
Menlo Security Adds SaaS Platform to Manage Secure Browsers - Menlo Security today unfurled a software-as-a-service platform that makes it simpler to centrally apply and manage cybersecurity policies to secure instances of Google Chrome or Microsoft Edge browsers. Rew Harding, vice president of security ...
1 year ago Securityboulevard.com
New Fake Browser Updates Deploy NetSupport RAT Malware on Your Windows - A sophisticated malware campaign attributed to the SmartApeSG threat actor (also tracked as ZPHP/HANEYMANEY) has targeted users through compromised websites since early 2024, deploying NetSupport RAT and StealC malware via fraudulent browser update ...
4 months ago Cybersecuritynews.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)