SocGholish Malware Spread via Ad Tools; Delivers Access to LockBit, Evil Corp, and Others

What’s new: The SocGholish malware, also known as FakeUpdates, is being distributed through Traffic Distribution Systems (TDSs) like Parrot TDS and Keitaro TDS. This malware acts as a JavaScript loader and is typically disguised as fake updates for popular software. It is attributed to the threat actor TA569 and is used to gain initial access to systems, which are then sold to other cybercriminal organizations, including Evil Corp and LockBit. Recent campaigns have also utilized Raspberry Robin as a distribution method.

Who’s affected

Organizations that have compromised websites or are using vulnerable software may be at risk of SocGholish infections. Users who inadvertently download malicious updates or visit compromised sites are particularly vulnerable.

What to do

• Implement web filtering to block access to known malicious domains and TDSs.
• Educate users about the risks of downloading software updates from untrusted sources.
• Regularly update and patch software to mitigate vulnerabilities that could be exploited by malware.
• Monitor network traffic for unusual activity that may indicate a SocGholish infection.

Sources

• The Hacker News