It has been observed that threat actors behind Socgholish malware leverage traffic delivery systems (TDSSs) such as Parrot TDS and Keitaro TDS to filter and redirect unsuspecting users to rough content.
“The core of their operations is the malware as a service (MAAS) model, with infected systems being sold as early access points to other cybercrime organisations,” Silent Push said in the analysis.
Socgholish, also known as FakeUpdates, is a JavaScript loader malware distributed through compromised websites by assuming deceptive updates of web browsers such as Google Chrome and Mozilla Firefox, as well as other software such as Adobe Flash Player and Microsoft Teams as deceptive updates. This is due to a threat actor called Ta569, also tracked as Gold Prelude, Mustard Tempest, Purple Vallhund, and UNC1543.
The attack chain involves deploying Socgholish to establish early access and brokers that have compromised system access to a variety of customers, including Evil Corp (aka Dev-0243), Lockbit, Dridex, and Raspberry Robin (aka Roshtyak). Interestingly, recent campaigns have used Raspberry Robin as a distribution vector for Socgholish.
“Socgholish infections usually come from compromised websites that have been infected in a variety of ways,” says Silent Push. “Infection on a website involves direct injections, in this case you inject JS via a version of direct injection that loads the associated injections using JS loaded directly from the infected webpage or the associated JS file.”
In addition to redirecting to a Socgholish domain through compromised websites, another main source of traffic is to use third-party TDSs such as Parrot TD and Keitaro TDS to perform extensive fingerprints of site visitors, perform specific pre-specifications, deploy web traffic, then direct the web traffic to the landing page to determine whether it is of interest based on a specific defined criteria.
Keitaro TDS has long been involved in threat activities beyond fraud and fraud to provide more sophisticated malware, including exploit kits, loaders, ransomware, and Russian impact operations. Last year, Infoblox revealed that Vextrio’s partner Socgholish redirected the victim to Vextrio’s TDSE using Keirolo.
“Keitaro also has many legitimate applications, so organizations can consider this in their own policies, but blocking traffic through services without generating excessive false positives is often difficult or impossible,” Proofpoint said in 2019.
Keitaro TDS is believed to be connected to the TA2726, which acts as a traffic provider for both Socgholish and TA2727 by breaching the website, injecting the Keitaro TDS link and selling it to customers.
“Intermediate C2″ [command-and-control] The framework dynamically generates payloads that victims download at runtime,” Silent Push noted.
“It is essential to note that across the execution framework, from the initial Socgholish Injection to Windows Implant’s on-device execution, the entire process is continuously tracked by Socgholish’s C2 framework. At any time, if the framework decides that a given victim is “not legal and stops serving payments.”
Cybersecurity companies also rated that there may be former members involved in Dridex, Raspberry Robin and Sokolish, given the overlapping nature of the observed campaign.
The development has detailed the updated version of Raspberry Robin, featuring improved obfuscation methods, changes to the network communications process, pointing to intentionally corrupted TOR C2 domains, avoiding detection and hampering reverse engineering efforts.
“The network encryption algorithm has been changed from AES (CTR mode) to Chacha-20,” the company said. “Raspberry Robin has added a new Local Privilege Escalation (LPE) exploit (CVE-2024-38196) to increase privileges on the target system.”
This disclosure continues with the evolution of Darkcloud Stealer Attack, which provides a Confuserex protected version of Stealer Payload written in Visual Basic 6, which uses phishing emails to launch and run using a technique called Process Hollowing.
“Darkcloud Stealer is typical of the evolution of cyber threats and leverages obfuscation techniques and complex payload structures to avoid traditional detection mechanisms,” Unit 42 said. “The changes in delivery methods observed in April 2025 indicate an evolving evasion strategy.”
Source link
