SocGholish Malware Spread via Ad Tools; Delivers Access to LockBit, Evil Corp, and Others
What’s new: The SocGholish malware, also known as FakeUpdates, is being distributed through Traffic Distribution Systems (TDSs) like Parrot TDS and Keitaro TDS. This malware acts as a JavaScript loader and is typically disguised as fake updates for browsers and software. It is linked to the threat actor TA569 and is used to provide initial access to other cybercriminal groups, including Evil Corp and LockBit. Recent campaigns have also utilized Raspberry Robin for distribution.
Who’s affected
Organizations that have compromised websites or are vulnerable to malvertising may be at risk. Users who inadvertently download malicious updates or visit infected sites are also potential victims.
What to do
- Implement web filtering to block access to known malicious TDSs and domains associated with SocGholish.
- Educate users about the dangers of downloading software updates from untrusted sources.
- Regularly update and patch systems to mitigate vulnerabilities that could be exploited by malware.
- Monitor network traffic for unusual patterns that may indicate a compromise.
