Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
View Regular
Andrew Northern 𓅓 Profile picture
Andrew Northern 𓅓
@ex_raritas
🔮 Principal Researcher at Censys 🔮 | formerly Proofpoint | Knowledge Piñata 🪅 | Attack Chain Connoisseur | Aspiring Stoic

Jun 28, 2022, 11 tweets

Just a quick bit of clarification on #SocGholish on how I personally view the stages/infra.

Thread

Stage 1: The injected site. These are compromised sites where a JavaScript implant is present in the HTML Source of the page.

These are plentiful (more than 1000 active at any time).

They come in 2 varieties currently:

1x B64 encoded and 2x B64 encoded

Stage 2: Payload Host...aka the site Stage 1 pulls the "fakeupdate" from. (/report/blah)

These are less plentiful than Stage 1. Their TTL is measured in days or weeks. There are some currently that are approaching months.

These are a more reliable IOC to block vs Stage 1.

Stage 3: SocGholish Payload aka the "fakeupdate".

The package is served in the form of a zip file, inside is a JavaScript file named [browser][digits]update.

When executed it executes WMIC queries via scripting host against the victim system. ...cont

Stage 3 cont.

This activity establishes persistence as well as executing recon. The big goal here is to determine what rights the user has, if the target host is joined to a domain.

All this data is sent to the STAGE 3 INFRA (aka) SG C2.

...cont

Stage 3 cont.

Stage 3 INFRA (aka) SG C2s are even more stable than the stage 2 payload hosts though harder to get. You have to be able to defeat the logic checks to actually get the payload from Stage 2 and then decode the package to get the SG C2, which are host with /pixel.

Stage 4: Follow On

If the target host is joined to a domain (usually) Cobalt Strike is deployed. Goal is Ransomware deployment.

If not, a RAT DuJour is deployed...historically NetSupport Rat. Goal is infostealing.

Cont..

Stage 4 cont.

If Cobalt Strike is deployed we will be talking about another layer of infrastructure for C2 called a Teamserver.

If a RAT...RAT C2.

I didn't add all the details in the world here but I'm just trying to clarify a lot of the questions I get in my DMs every day. Hope this helps.

My goal is to try to move left on TA569 and to start getting blocks/kills/takedowns on infra as far left as is reasonably possible.

That is before a fakeupdate hits disk and an IR team uploads it to VT.

Happy Hunting!

@C0ryInTheHous3 @th3_protoCOL @pr0xylife @0xkyle @bigmacjpg

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling