Andrew Northern 𓅓 Profile picture
Jun 28, 2022 11 tweets 4 min read Read on X
Just a quick bit of clarification on #SocGholish on how I personally view the stages/infra.

Thread
Stage 1: The injected site. These are compromised sites where a JavaScript implant is present in the HTML Source of the page.

These are plentiful (more than 1000 active at any time).

They come in 2 varieties currently:

1x B64 encoded and 2x B64 encoded
Stage 2: Payload Host...aka the site Stage 1 pulls the "fakeupdate" from. (/report/blah)

These are less plentiful than Stage 1. Their TTL is measured in days or weeks. There are some currently that are approaching months.

These are a more reliable IOC to block vs Stage 1.
Stage 3: SocGholish Payload aka the "fakeupdate".

The package is served in the form of a zip file, inside is a JavaScript file named [browser][digits]update.

When executed it executes WMIC queries via scripting host against the victim system. ...cont
Stage 3 cont.

This activity establishes persistence as well as executing recon. The big goal here is to determine what rights the user has, if the target host is joined to a domain.

All this data is sent to the STAGE 3 INFRA (aka) SG C2.

...cont
Stage 3 cont.

Stage 3 INFRA (aka) SG C2s are even more stable than the stage 2 payload hosts though harder to get. You have to be able to defeat the logic checks to actually get the payload from Stage 2 and then decode the package to get the SG C2, which are host with /pixel.
Stage 4: Follow On

If the target host is joined to a domain (usually) Cobalt Strike is deployed. Goal is Ransomware deployment.

If not, a RAT DuJour is deployed...historically NetSupport Rat. Goal is infostealing.

Cont..
Stage 4 cont.

If Cobalt Strike is deployed we will be talking about another layer of infrastructure for C2 called a Teamserver.

If a RAT...RAT C2.
I didn't add all the details in the world here but I'm just trying to clarify a lot of the questions I get in my DMs every day. Hope this helps.

My goal is to try to move left on TA569 and to start getting blocks/kills/takedowns on infra as far left as is reasonably possible.
That is before a fakeupdate hits disk and an IR team uploads it to VT.

Happy Hunting!

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Andrew Northern 𓅓

Andrew Northern 𓅓 Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @ex_raritas

Oct 7, 2022
🧵🐰🕳️ 1/?:

Stumbled down a rabbit hole yesterday and I'm still making sense of it. I don't have all the answers nor do I even have a name for the type of TDS JS nightmare that I ran into but its a pretty wild ride! 🔜

H/T: @lshirley30 for asking me about this
Site 1:
anycodings[.com
VT: 0/95
103.48.119[.244
Country: Bangladesh
Type:Tech Web Blog
Must allow JS to execute or else it throws an error about an Ad Blocker.
Read 29 tweets
Aug 14, 2022
I finally found the perfect t-shirt for me. Image
Does anyone know where I can get this shirt?
Wow. I would buy this shirt.
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(