April 28, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Wanna Cryptor aka WannaCry Ransomware – Active IOCs
April 28, 2025Wanna Cryptor aka WannaCry Ransomware – Active IOCs
April 28, 2025
Severity
High
Analysis Summary
A recent cyberattack campaign has been identified, linking SocGholish malware, also known as FakeUpdates, to affiliates of the RansomHub ransomware group. This operation demonstrates how attackers combine initial access malware with targeted backdoor deployments to infiltrate corporate networks.
The infection chain begins when victims visit a compromised website, such as butterflywonderland[.]com, which prompts them to download a fake Microsoft Edge update named "Update.zip." This archive contains a malicious JavaScript file, Update.js, designed to communicate with SocGholish command-and-control infrastructure.
Once executed, SocGholish gathers system information, including domain details, usernames, computer names, and processor architecture. It also utilizes legitimate Windows utilities like net.exe and systeminfo to enumerate network connections and system configurations, transmitting this data back to its command-and-control server.
The attackers deliver a Python-based backdoor via a second-stage payload. This backdoor is deployed by unpacking a zip archive named python3.12.zip and installing it persistently through a scheduled task using pythonw.exe. The backdoor, concealed within a file called fcrapvim.pyz, employs multiple encryption layers to hide its components and connects to a threat actor-controlled server, enabling proxying of victim network traffic, remote command execution, and lateral movement within compromised environments.
Impact
- Lateral Movement
- Credential Theft
- Data Theft
- Financial Loss
Indicators of Compromise
Domain Name
butterflywonderland.com
exclusive.nobogoods.com
IP
- 92.118.112.208
- 173.44.141.226
- 45.82.85.50
- 92.118.112.143
- 38.180.195.187
- 185.219.220.175
- 193.203.49.90
- 88.119.175.65
- 104.238.61.144
- 38.180.81.153
- 185.33.86.15
- 185.174.101.69
- 162.252.173.12
- 38.146.28.93
- 185.174.101.240
- 172.210.82.245
MD5
- 8c9ccd071eefb8db81ded09a8fe1b6c1
SHA-256
- 0f0db5079a9fbd760bb24ee979e2e808b2dc089c17033310838474a53a267f04
SHA1
- 26d657d25cc4d75bb862218906098227e1d003e2
URL
- https://exclusive.nobogoods.com/updateStatus
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Implement group policy objects to set Notepad as the default application for JavaScript files, preventing execution of malicious scripts.
- Restrict the use of scripting languages and tools such as PowerShell, wget, and Python through application control policies. Deploy Endpoint Detection and Response (EDR) solutions capable of detecting and blocking malicious activities
- Conduct regular security awareness training to educate employees about the risks of downloading software from unverified sources.
- Monitor network traffic for unusual activities that may indicate the presence of backdoors or command-and-control communications.
- Keep all systems and software up to date with the latest security patches to mitigate known vulnerabilities.
- Regularly back up critical data and ensure backups are stored securely and tested for integrity.
- Establish an incident response plan to address and contain any security breaches quickly.
