Request a Demo
Rewterz
Wanna Cryptor aka WannaCry Ransomware – Active IOCs
April 28, 2025
Rewterz
Rhadamanthys Stealer – Active IOCs
April 29, 2025

The SocGholish-RansomHub Connection – Active IOCs

Severity

High

Analysis Summary

A recent cyberattack campaign has been reported, linking SocGholish malware, also known as FakeUpdates, to affiliates of the RansomHub ransomware group. This operation demonstrates how attackers combine initial access malware with targeted backdoor deployments to infiltrate corporate networks.

The infection chain begins when victims visit a compromised website, such as butterflywonderland[.]com, which prompts them to download a fake Microsoft Edge update named "Update.zip." This archive contains a malicious JavaScript file, Update.js, designed to communicate with SocGholish command-and-control infrastructure.

Once executed, SocGholish gathers system information, including domain details, usernames, computer names, and processor architecture. It also utilizes legitimate Windows utilities like net.exe and systeminfo to enumerate network connections and system configurations, transmitting this data back to its command-and-control server.

The attackers deliver a Python-based backdoor via a second-stage payload. This backdoor is deployed by unpacking a zip archive named python3.12.zip and installing it persistently through a scheduled task using pythonw.exe. The backdoor, concealed within a file called fcrapvim.pyz, employs multiple encryption layers to hide its components and connects to a threat actor-controlled server, enabling proxying of victim network traffic, remote command execution, and lateral movement within compromised environments.

Impact

  • Lateral Movement
  • Credential Theft
  • Data Theft
  • Financial Loss

Indicators of Compromise

Domain Name

  • butterflywonderland.com

  • exclusive.nobogoods.com

IP

  • 92.118.112.208
  • 173.44.141.226
  • 45.82.85.50
  • 92.118.112.143
  • 38.180.195.187
  • 185.219.220.175
  • 193.203.49.90
  • 88.119.175.65
  • 104.238.61.144
  • 38.180.81.153
  • 185.33.86.15
  • 185.174.101.69
  • 162.252.173.12
  • 38.146.28.93
  • 185.174.101.240
  • 172.210.82.245

MD5

  • 8c9ccd071eefb8db81ded09a8fe1b6c1

SHA-256

  • 0f0db5079a9fbd760bb24ee979e2e808b2dc089c17033310838474a53a267f04

SHA1

  • 26d657d25cc4d75bb862218906098227e1d003e2

URL

  • https://exclusive.nobogoods.com/updateStatus

Remediation

  • Block all threat indicators at your respective controls.
  • Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
  • Implement group policy objects to set Notepad as the default application for JavaScript files, preventing execution of malicious scripts.
  • Restrict the use of scripting languages and tools such as PowerShell, wget, and Python through application control policies. Deploy Endpoint Detection and Response (EDR) solutions capable of detecting and blocking malicious activities
  • Conduct regular security awareness training to educate employees about the risks of downloading software from unverified sources.
  • Monitor network traffic for unusual activities that may indicate the presence of backdoors or command-and-control communications.
  • Keep all systems and software up to date with the latest security patches to mitigate known vulnerabilities.
  • Regularly back up critical data and ensure backups are stored securely and tested for integrity.
  • Establish an incident response plan to address and contain any security breaches quickly.

Reference

https://www.esentire.com/blog/socket-puppet-how-ransomhub-affiliates-pull-the-strings