SocGholish Attacks Enterprises Via Fake Browser Updates

Enterprises are being targeted by the malware known as SocGholish through deceptive browser update prompts.
This malware, notorious for its stealth and the complexity of its delivery mechanisms, has been identified in a series of incidents involving fake browser updates that trick users into downloading malicious payloads.
ESentire has recently published a report highlighting the infiltration of enterprises by the SocGholish malware.
This malware is spreading through fake browser updates and is causing significant security concerns for organizations.
The initial stage of the SocGholish attack involves compromising legitimate websites, where attackers inject malicious JavaScript code.
Unsuspecting users visiting these websites receive pop-up notifications urging them to download browser updates.
The SocGholish malware employs sophisticated evasion techniques to avoid detection by automated analysis tools.
The malware halts further actions if detected, effectively evading automated security analysis.
It employs a multi-stage infection process, beginning with the execution of obfuscated JavaScript code that further downloads additional malicious scripts based on user interaction and specific conditions, such as detecting WordPress cookies indicating an admin session.
Staging the credential data under another user is likely done for redundancy in case the main files are discovered.
The threat players then tried to use PowerShell to run a command encoded in base64.
Using the DPAPI, the decoded command gets Edge and Chrome's encryption keys for passwords and cookies and decrypts them.
The bad guys then used Powershell to run a base64-encoded command that changed the HTML signature files that Microsoft Outlook uses.
These shortcuts will be created in the network share using the last command.
The destination path takes you to the network share's location.
This is because every time the link files are opened, the C2 server is requested to get the icon file.
The SocGholish intrusion campaign used fake updates and social engineering to get inside.
They then used scripted actions to get private data and watch how users interacted with the site.
The SocGholish malware campaign underscores the critical importance of vigilance and cybersecurity hygiene in the face of increasingly sophisticated social engineering attacks.
By adopting recommended security measures and fostering a culture of awareness, enterprises can significantly mitigate the risk of falling victim to such deceptive tactics.


This Cyber News was published on gbhackers.com. Publication date: Thu, 09 May 2024 14:43:06 +0000


Cyber News related to SocGholish Attacks Enterprises Via Fake Browser Updates

SocGholish Attacks Enterprises Via Fake Browser Updates - Enterprises are being targeted by the malware known as SocGholish through deceptive browser update prompts. This malware, notorious for its stealth and the complexity of its delivery mechanisms, has been identified in a series of incidents involving ...
7 months ago Gbhackers.com
Fake Browser Updates Used in Malware Distribution - Cybersecurity researchers from Proofpoint have identified a rising trend in threat activity that employs fake browser updates to disseminate malware. At least four distinct threat clusters have been tracked utilizing this deceptive tactic. Fake ...
1 year ago Infosecurity-magazine.com
Fake browser updates spread updated WarmCookie malware - The latest campaign was discovered by researchers at Gen Threat Labs, who observed the WarmCookie backdoor being distributed as fake Google Chrome, Mozilla Firefox, Microsoft Edge, and Java updates. FakeUpdate is a cyberattack strategy used by a ...
2 months ago Bleepingcomputer.com
The Fake Browser Update Scam Gets a Makeover - One of the oldest malware tricks in the book - hacked websites claiming visitors need to update their Web browser before they can view any content - has roared back to life in the past few months. New research shows the attackers behind one such ...
1 year ago Krebsonsecurity.com
Omdia: Standalone Security Products Outsell Cybersecurity Platforms - In its many briefings with cybersecurity vendors, one of the most consistent themes Omdia hears is why enterprises need cybersecurity platforms. Instead, vendors claim, enterprises could get better outcomes if they give up their multitude of ...
1 year ago Darkreading.com
Fake Browser Updates Targeting Mac Systems With Infostealer - A widely popular social engineering campaign previously only targeting Windows systems has expanded and is now using fake browser updates to distribute Atomic Stealer, a dangerous information stealer, to macOS systems. Experts say this could be the ...
1 year ago Darkreading.com
How Kasada Counters Toll Fraud and Fake Account Creation for Enterprises - Toll fraud and fake account creation are two advanced threats that bad actors employ for massive profit. Fake Account Creation is committed by a wide range of attackers, through automating the generation of new user accounts en masse, which then get ...
1 year ago Securityboulevard.com
9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
1 year ago Esecurityplanet.com
Apple Releases Updates for Older Devices in 2021 - Apple released updates to many of its older devices in 2021, including the iPhones, iPads, and Macs. The updates are to address security vulnerabilities that were discovered in the company's older devices. Apple has previously released several ...
1 year ago Thehackernews.com
Deepfake attacks will cost $40 billion by 2027 - Now one of the fastest-growing forms of adversarial AI, deepfake-related losses are expected to soar from $12.3 billion in 2023 to $40 billion by 2027, growing at an astounding 32% compound annual growth rate. Deloitte sees deep fakes proliferating ...
5 months ago Venturebeat.com
Browser security is the key to stopping ransomware attacks - These advanced attacks use adaptive and evasive tactics to bypass traditional security tools, infiltrate endpoints, spread through the network, and deliver their harmful payloads. Insufficient browser security is the main reason today's ransomware ...
11 months ago Securityboulevard.com
Fake LastPass password manager spotted on Apple's App Store - LastPass is warning that a fake copy of its app is being distributed on the Apple App Store, likely used as a phishing app to steal users' credentials. The fake app uses a similar name to the genuine app, a similar icon, and a red-themed interface ...
10 months ago Bleepingcomputer.com
Menlo Security Adds SaaS Platform to Manage Secure Browsers - Menlo Security today unfurled a software-as-a-service platform that makes it simpler to centrally apply and manage cybersecurity policies to secure instances of Google Chrome or Microsoft Edge browsers. Rew Harding, vice president of security ...
10 months ago Securityboulevard.com
Fake app impersonating LastPass spotted in Apple's App Store The Register - LastPass says a rogue application impersonating its popular password manager made it past Apple's gatekeepers and was listed in the iOS App Store for unsuspecting folks to download and install. A screenshot of the fake LastPass app in the Apple App ...
10 months ago Go.theregister.com
Pig Butchering: Fake Trading Apps Target Crypto on Apple, Google Play Stores - Pig Butchering scam targets crypto users with fake trading apps on Apple and Google Play Stores. These apps, found on Apple’s App Store and Google Play, and on phishing sites, are part of a Pig Butchering scam targeting cryptocurrency investors ...
2 months ago Hackread.com
Vectra AI Launches Global, 24x7 Open MXDR Service Built to Defend Against Hybrid Attacks - PRESS RELEASE. San Jose, Calif. - February 15, 2024 - Vectra AI, Inc., the leader in hybrid attack detection, investigation and response, today announced the launch of Vectra MXDR services, the industry's first global, 24x7 open MXDR service built to ...
10 months ago Darkreading.com
VexTrio network of hijacked websites used to spread malware The Register - More than 70,000 presumably legit websites have been hijacked and drafted into a network that crooks use to distribute malware, serve phishing pages, and share other dodgy stuff, according to researchers. This mesh of compromised sites is known as ...
10 months ago Go.theregister.com
Convincing LinkedIn 'Profiles' Target Saudi Workers for Information Leakage - Attackers have used hundreds of fake profiles on LinkedIn - many very convincing - to target professionals at companies in Saudi Arabia, not only for financial fraud, but to convince employees in specific roles to provide sensitive corporate ...
1 year ago Darkreading.com
Fake IT support sites push malicious PowerShell scripts as Windows fixes - First discovered by eSentire's Threat Response Unit, the fake support sites are promoted through YouTube channels that have been compromised and hijacked to add legitimacy to the content creator. In particular, the threat actors are creating fake ...
5 months ago Bleepingcomputer.com
Google Chrome Zero-Day Bug Under Attack, Allows Code Injection - Google has patched a high-severity zero-day bug in its Chrome Web browser that attackers are actively exploiting. The vulnerability, assigned as CVE-2024-0519, is the first Chrome zero-day bug that Google has disclosed in 2024, and the second in the ...
11 months ago Darkreading.com
Zcaler ThreatLabz 2024 VPN Risk Report - The growing sophistication of cyberthreats alongside the expansion of remote workforces and cloud technologies have exposed significant vulnerabilities in VPNs. Due to their legacy architecture, VPNs grant overly broad network access once credentials ...
7 months ago Cybersecurity-insiders.com
CVE-2021-34527 - <p>A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An ...
10 months ago
DarkGate Malware Delivered Weaponized Fake Browser Updates - DarkGate Malware, also known as BattleRoyal, spreads through weaponized fake browser updates and emails. Once installed, it permits the download and execution of further malware. According to Proofpoint, a new malware has been discovered that is ...
11 months ago Cybersecuritynews.com
Why the Keitaro TDS keeps causing security headaches - A software company named Keitaro has long been labeled by cybersecurity vendors as a legitimate traffic distribution system vendor, yet the company's product is repeatedly used for malicious activity by cybercriminals. Despite being described as a ...
8 months ago Techtarget.com
Tor Browser 13.5.6 Released - What's New! - GBHackers on Security is a top cybersecurity news platform, delivering up-to-date coverage on breaches, emerging threats, malware, vulnerabilities, and global cyber incidents. Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, ...
2 months ago Gbhackers.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)