CyberSecurity news
FlagThis - #socgholish
|
@cyble.com
//
EvilCorp, a Russia-based cybercriminal enterprise already under sanctions, has been linked to the RansomHub ransomware operation, indicating a concerning level of cooperation between the two groups. Intelligence sources confirm that EvilCorp and RansomHub are actively sharing intrusion methods, indicators of compromise (IOCs), and tactics, techniques, and procedures (TTPs). This collaboration poses a significant threat as it combines the capabilities of a sanctioned entity known for large-scale financial cyberattacks with a prominent ransomware-as-a-service (RaaS) operation. RansomHub, active since February 2024 and reportedly run by Russian-speaking cybercriminals, has become increasingly popular among former affiliates of other RaaS platforms such as ALPHV/BlackCat and LockBit.
One of EvilCorp's signature TTPs involves the use of SocGholish JavaScript malware, also known as FAKEUPDATES, to gain initial access to systems. This malware employs drive-by downloads disguised as web browser software updates. Once a system is infected with SocGholish, EvilCorp affiliates can then deploy the RansomHub ransomware. Given the sanctions imposed on EvilCorp since 2019, organizations that fall victim to this attack face a difficult dilemma: paying the ransom is illegal and can lead to substantial fines from the US Treasury’s Office of Foreign Assets Control. This situation is further complicated by the fact that EvilCorp affiliates are known to rebrand their ransomware and become affiliates of other RaaS operations. The partnership between EvilCorp and RansomHub highlights the evolving and increasingly complex nature of the cybercrime landscape. Maksim Yakubets, a figure reportedly at the helm of EvilCorp, has a long-standing involvement in high-profile hacking campaigns and has been connected to the LockBit ransomware and the Dridex Banking Trojan. The use of Microsoft Teams and other tools to spread malware via vishing scams further demonstrates the diverse range of tactics employed by these threat actors. Cybersecurity experts advise organizations to be vigilant, monitor for PowerShell commands in Teams messages, and investigate any unusual use of Quick Assist or signed binaries running from unexpected locations.
Share:
References :
Classification:
Adam O'Connor@feeds.feedburner.com
//
SocGholish, also known as FakeUpdates, is facilitating the distribution of RansomHub ransomware through compromised websites. The malware-as-a-service (MaaS) framework, observed since 2018 and tracked by Trend Micro as Water Scylla, injects malicious scripts into legitimate websites. This action redirects users to deceptive pages disguised as browser update notifications, tricking them into downloading and executing malicious files that initiate the infection process.
Trend Micro researchers have analyzed SocGholish's MaaS framework, highlighting its use of highly obfuscated JavaScript loaders to evade detection and execute various malicious tasks. The SocGholish loader can download and execute malicious payloads, exfiltrate sensitive data, and execute arbitrary commands, providing persistent access for further exploitation and payload deployment. This intrusion set collaborates with threat actors operating rogue Keitaro Traffic Distribution System (TDS) instances to filter traffic, enhancing the effectiveness of RansomHub delivery. Detections have been highest in the United States, with government organizations among the most affected.
Share:
References :
Classification:
|