The NJCCIC observed an uptick in reported SocGholish infections targeting public sector websites. The MS-ISAC also reported that SocGholish was the most observed malware in Q4 of 2023, comprising 60 percent of the top 10 malware incidents. SocGholish is a malware loader that exploits vulnerable website infrastructure to perform reconnaissance and deploy malicious payloads, such as remote access trojans (RATs), information stealers, and ransomware. The malware’s distribution network employs social engineering and drive-by compromise to drop malware on endpoints, most commonly using fake update pages.

Additionally, the NJCCIC’s email security solution identified an increase in attempted SocGholish campaigns. The observed emails contain URLs linking to websites compromised with SocGholish injects. There are multiple variations of SocGholish injections that use Keitaro TDS, Parrot (NDSW) TDS, and plain injections. The compromised domains redirect traffic to actor-controlled domains to deliver a malicious payload. The email messages, URLs, and domains may appear legitimate but are routing traffic maliciously. Analysts frequently observe a handoff to a post-exploitation operator known as TA582, among others. In such instances, a PowerShell is downloaded and executed, which initiates an attack chain specific to this post-exploitation operator that may lead to various follow-on malware. The rise in fake browser update schemes underscores their effectiveness, prompting other malicious actors to duplicate these tactics, techniques, and procedures (TTPs).

The NJCCIC advises website administrators to keep websites, associated applications, and plugins up to date, uninstall unused or deprecated components and plugins, and actively monitor for unauthorized changes. Additionally, establish strong passwords and use MFA where available, employ the Principle of Least Privilege to reduce the impact of a potential incident, and keep backups of the website available and offline. Recent TTPs and indicators of compromise (IOCs) can be found in the Center for Internet Security’s blog post, Proofpoint’s blog post, and SentinelOne’s
report.