The ET SocGholish Rules Response Guidance post was published around Feb 2023 and ET continues to recommend the investigative next steps provided.
Today, we wanted to share that former SocGholish rule names have changed to reflect Proofpoint Threat Research’s ongoing understanding of the web malicious website injects threat landscape.
Rule Name Changes:
ET MALWARE SocGholish Domain in DNS Lookup
>>ET EXPLOIT_KIT Malicious TA2726 TDS Domain
ET MALWARE SocGholish CnC Domain in DNS Lookup
>>ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup
Again, the name changes do not affect the suggested next steps in the ET SocGholish Rules Response Guidance.
.
.
.
More about Web Injector Threat Landscape:
SocGholish is a term closely associated with web injector activity, but it does not reflect the malicious web injector landscape all together. Emerging Threats would like to reflect Proofpoint’s granular understanding of the threat actors and payloads involved in this landscape by naming our rules accordingly.
More about TA2627 and TA2727
Proofpoint researchers recently designated two new threat actors, TA2726 and TA2727. These are traffic sellers and malware distributors and have been observed in multiple web-based attack chains like compromised website campaigns, including those using fake update themed lures. They are not email-based threat actors, and the activity observed in email campaign data is related to legitimate, but compromised websites.
Notably, TA2727 was recently observed delivering a new information stealer for Mac computers alongside malware for Windows and Android hosts. Proofpoint researchers dubbed this FrigidStealer.
Proofpoint is reassessing existing activity related to TA569 and previous reporting, and assesses with high confidence TA2726 acts as a traffic distribution service (TDS) for TA569 and TA2727.
More about TA569
The threat actor associated with the SocGholish inject and Gholoader malware, uses fake update themed lures. The actor can either inject their own code directly on compromised websites or use a TDS like TA2726 to serve their inject.