SocGholish—a family of malware that has been active since at least 2018 and is associated with the Russia-based threat actor EvilCorp—is frequently used for initial access. This malware family was ranked #6 on Red Canary’s Top 10 real-world threats in their 2023 Threat Detection Report. What makes SocGholish infections so devious is that they are often the result of a drive-by download: a class of attacks capable of installing malware without users’ knowledge or consent. These attacks occur when a user visits a compromised website containing hidden malicious code or links and are often used to target specific populations (e.g., employees of governments or critical infrastructure companies).
Anatomy of drive-by download attacks
Drive-by downloads—or, as MITRE ATT&CK® identifies them, Drive-By Compromise[s] (T1189
)—are particularly problematic because they can leverage both the normal behavior of browsers and weaknesses in browser security
to deliver malware while easily evading detection.
Another technique that adversaries may employ is the use of redirects, which automatically forward users from one website to another. By using redirects, they are able to transparently shift users from a benign website to a malicious one without their consent. They may also obfuscate or encode the redirects to make it harder for users to identify.
Drive-by download attacks can cause significant damage to a user’s device, as well as compromising both corporate and personal information. Moreover, users may not be aware until it’s too late. Once attackers have gained their initial foothold they can use their position to steal users’ session cookies (to access other services), begin conducting reconnaissance and moving laterally, or download second-stage payloads like ransomware.
What to do
As with everything in cybersecurity, it is necessary—but not sufficient
—to keep browsers updated with the latest security patches to make it harder to exploit vulnerabilities with drive-by downloads. User awareness training is also important but may ultimately be ineffective, given the ways in attackers conceal their actions. Inline security tools such as Secure Web Gateways (SWG) and Network Detection and Response (NDR) may be fooled by the evasiveness of these attacks. Endpoint Detection and Response (EDR) tools may be able to detect them, but the initial compromise may already have occurred and organizations may find themselves in an incident response (IR) or recovery scenario, rather than having prevented the attack outright.
Seraphic Security prevents browser exploitation and can block other forms of web-based attacks with unique Prevention and Detection Engines that operate directly in the browser and can reduce the threat of drive-by downloads. To learn more, visit our Safe Browsing Use-case page, our Product page, or request a demo.