'SocGholish' Attack Framework Powers Surge in Drive-By Attacks

Menlo Labs research team says framework's social engineering toolkit helps criminals impersonate software updates.

3 Min Read
Dark Reading logo in a gray background | Dark Reading

Drive-by download attacks have been on the uptick over the past two months, thanks to a highly active attack framework that security researchers have dubbed "SocGholish" for its ample use of social engineering tools and techniques. SocGholish impersonates legitimate browser, Flash, and Microsoft Teams updates to trick users into executing malicious ZIP files that are automatically placed on their machines when a visit to an infected compromise triggers a drive-by download. 

SocGholish attackers host and serve the malicious downloads by leveraging iFrames to serve up compromised websites via a legitimate website.  

"Because the file is hosted in an iframe within a legitimate site, users are tricked into thinking the file is from a legitimate source and encouraged to download and execute the file," said Krishnan Subramanian, security researcher at Menlo Security, in a research note today.

This iFrame technique helps attackers end around basic web filtering based on website categories since they are delivered from legitimate categories.

The drive-by download mechanisms used by the SocGholish framework don't involve browser exploitations or exploit kits to deliver payloads. Instead, it uses three main techniques. The first is using watering hole attacks by planting iFrames on sites with relatively high Alexa rankings and then sending users through a number of redirects routed through common cloud hosting services until reaching a malicious ZIP file served from an Amazon S3 account.

The second technique is compromising sites hosted on content management systems like WordPress to embed iFrames that use JavaScript blobs to trigger the download.

"Since the entire payload is constructed within the endpoint, this method is commonly used to smuggle payloads and bypass legacy network proxies and sandboxes," Subramanian wrote.

The third SocGholish technique is leveraging sites.google.com and JavaScript to dynamically create a download link element pointed to a ZIP file hosted on a legitimate Google Drive link, and then simulating a click to trigger the download. 

Subramanian explained that SocGholish is used to gain initial access to endpoints; his team has observed it being used to distribute the Dridex banking Trojan and WastedLocker ransomware, among others. 

Drive-by downloads have been a thorn in security defenders' sides for many years and continues to be a prevalent technique for gaining a foothold into endpoint systems. The SocGholish report comes just a week after Microsoft researchers detailed the rampant use of drive-by downloads by the Adrozek malware to fuel an attack campaign, which ran from May through September 2020 and used 159 unique domains to distribute hundreds of thousands of unique malware samples. 

While major browser developers have taken steps to thwart these techniques, attackers keep innovating. In the case of SocGholish, the framework gets around security features in Chrome and Firefox that automatically block downloads from sandboxed iFrames by injecting iFrames without the sandbox attribute specified.

About the Author

Ericka Chickowski, Contributing Writer

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights