New Malware Distribution Vector Discovered
Cybersecurity researchers from the Malwarebytes Threat Intelligence team have identified a new malware campaign that began in mid-April 2024. For the first time, the SocGholish malware framework, also known as FakeUpdates, has been observed distributing the RomCom backdoor. This marks a significant development in the tactics used by the operators of this well-known malware loader.
SocGholish is operated by a threat actor tracked as TA569, which is also referred to as Evil Corp. The malware typically spreads through drive-by downloads on compromised websites, often those running popular content management systems like WordPress. It uses social engineering to trick visitors into downloading what they believe is a critical browser update.
Attack Chain Analysis: SocGholish to RomCom
The infection chain in this campaign follows a documented pattern. A user visits a compromised website where a malicious script has been injected. This script triggers a fake browser update prompt, urging the user to download a file to keep their browser current. The downloaded file is a malicious JavaScript file.
Upon execution, this JavaScript file runs a PowerShell command that acts as a loader for the next stage of the attack. In this newly observed campaign, the PowerShell loader was used to download and execute the RomCom backdoor. The specific RomCom sample identified by researchers was named Wininfo.exe. RomCom is a known backdoor associated with the Cuba ransomware operators, a group tracked as UNC2596 or VOID RABBIT.
This event provides evidence of a direct link between the distribution methods of TA569 and the payloads used by UNC2596. Researchers noted that this observation supports the existence of a business relationship between the two distinct threat actor groups.
Concise Cyber 