Cybercriminals behind the SocGholish malware are using Traffic Distribution Systems (TDSs) such as Parrot TDS and Keitaro TDS to filter and redirect unsuspecting users to malicious or misleading content, according to cybersecurity firm Silent Push.
SocGholish, also known as FakeUpdates is a JavaScript-based loader malware. It is typically delivered through compromised websites that trick users into downloading fake software updates for browsers like Google Chrome and Mozilla Firefox, as well as applications like Adobe Flash Player and Microsoft Teams. The malware is linked to a threat group tracked under several names, including TA569, Gold Prelude, Mustard Tempest, Purple Vallhund, and UNC1543.
Once deployed, SocGholish serves as a point of initial access. These infected systems are then sold to other cybercriminal groups, including Evil Corp, LockBit, Dridex, and Raspberry Robin. Notably, some recent campaigns have used Raspberry Robin as a new delivery channel for SocGholish infections.
The infection process begins with websites compromised through methods such as direct JavaScript injection. These attacks often use intermediate JS files that load the final malicious script. Besides website redirects, traffic is also driven by third-party TDSs like Parrot and Keitaro, which analyze visitor data to determine if a user is a suitable target before redirecting them to malicious landing pages.
Keitaro TDS has a long history in the threat landscape and has been used for various purposes, ranging from scam delivery and malvertising to more advanced malware campaigns. These include the distribution of exploit kits, ransomware, and content linked to foreign influence operations. In one case, Infoblox discovered that SocGholish, in partnership with VexTrio, used Keitaro to route traffic to VexTrio’s own TDS platforms.
Since Keitaro is also used for legitimate purposes, blocking it entirely may lead to numerous false positives. Proofpoint highlighted this risk in a previous analysis. Keitaro TDS is reportedly associated with TA2726, which acts as a traffic supplier for both SocGholish and TA2727. This group compromises websites and inserts Keitaro links, which are then sold to clients.
The malware uses an intermediate command-and-control (C2) infrastructure to dynamically generate payloads during runtime. Throughout the infection chain, the SocGholish C2 system monitors the process and will halt payload delivery if it deems the target unqualified or suspicious.
Silent Push also believes there may be shared personnel or collaboration among the actors behind Dridex, Raspberry Robin, and SocGholish, given the similarities in their operations.
In parallel developments, Zscaler has reported an upgraded version of Raspberry Robin with advanced obfuscation, modified network communication tactics, and references to corrupted TOR C2 domains. This version also includes a newly added local privilege escalation exploit, CVE-2024-38196, to elevate access on infected systems. The malware has shifted its encryption protocol from AES in CTR mode to Chacha-20 to further resist analysis.
Meanwhile, Unit 42 has uncovered new attack waves involving DarkCloud Stealer. This malware is being delivered through phishing emails and makes use of a Visual Basic 6 payload protected by ConfuserEx. It uses a technique known as process hollowing for execution. These changes reflect a broader trend in cyberattacks, where attackers adopt more complex and evasive techniques to outmaneuver traditional security tools.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
