October 31, 2022 by Joseph Acosta

A Tale of Ghoulish Malware: Detecting an Early-Stage SocGholish Attack

Like 1 Views 6074 [analytify-stats metrics="ga:pageviews" permission_view=""]

Industries: 9-1-1 & Law Enforcement Education Energy Industries Federal Fire & EMS Hospitality Manufacturing Transportation & Logistics

Topics: Cybersecurity

When it comes to mission-critical systems, public safety agencies can’t afford any disruptions or downtime from cyber threats like malware. The faster you can find indicators of compromise (IOCs), the sooner you can take steps to prevent attacks from spreading and limit potential damages.

Since it’s Halloween, we thought it was the perfect time to share a spine-tingling case in which Motorola Solutions’ Security Operations Center (SOC) team detected and shut down an early stage SocGholish attack. It also illustrates the capabilities of our Managed Detection and Response services.

What Is SocGholish? 

In simple terms, SocGholish is a type of malware. It can also be described as a collection of Javascript tools used to extract sensitive data — and some security researchers have posited that it could even potentially be a platform of scripts and servers managed by a criminal group. The “Soc” refers to social engineering techniques that SocGholish operators commonly use to prey on their victims by hosting malicious websites that claim to provide critical web browser or software updates. 

When someone visits a compromised website, it redirects them to a page that looks like a legitimate website. It’s designed to trick them into downloading and installing a fake update. But it isn’t actually an update at all: it’s the first step in what can be a scary situation. Let’s take a deeper look now at how this attack happens.

How Does a SocGholish Attack Work?

Once an unsuspecting victim downloads and opens the .zip file that allegedly has the update, it will execute malicious JavaScript code. The JavaScript then automatically reaches out to a command and control server — a computer that attackers use to send commands to systems compromised by malware — to trigger a download of its second stage payload. 

This enables the attackers to establish and maintain a foothold, also referred to as persistence, to carry out reconnaissance activities. The second stage payload can include malware variants that give the threat actor or cyber criminals even more control over the victim’s device. Researchers have even seen SocGholish infections using Cobalt Strike to deliver ransomware.

How Did We Detect an Early-Stage SocGholish Attack?

Now let’s dive into a bit more technical detail of how we detected this particular attack before it could do any damage. 

The Advanced Threats and Research team in our SOC investigated SocGholish in a sandbox environment to fully understand how it behaves, and how it infects victims. Armed with this information, the team then went threat hunting to look for indicators of it within customer networks.

To detect SocGholish activity, we looked for a Windows script host, loading a JavaScript code library, with a parent process of an archiving tool (Explorer, 7zip, Winrar), executing from the user’s “/temp” directory. Once we filtered out all the benign events, it was clear that the remaining results that were attempting to make network connections were extremely suspicious.

SocGholish Attack

SocGholish Attack

The following is an example of a detection rule we created that can be used to help find this attack:

SocGholish Attack

Fortunately, the SOC team spotted the attack before the network connection to the malicious domain could succeed. The infected device was immediately quarantined, and additional counter measures were applied to make sure the threat was contained. 

What Is the Potential Impact to PSAPs and LMR?

Although the ActiveEye SOC and other security researchers haven’t necessarily seen any indications that SocGholish is targeting specific industries or organizations, we encourage our customers to stay diligent about prevention and detection. Other threat actors are reportedly using SocGholish as an initial access broker (IAB) to get access into networks, at times even compromising an organization’s own website to infect employees with a drive-by download mechanism to install malware.

According to Motorola Solutions’ 2021 Cyber Threats to Public Safety: Criminal Operations report, IABs were prolific in 2021, and IABs selling either verified or likely legitimate access into emergency service environments represented 16 percent of all attacks. 

In addition, IABs may be more inclined to target public safety agencies because of the higher costs they can charge for critical infrastructure access. Public Safety Answering Points (PSAPs) provide an enticing target for cyber criminals who wish to interfere with 9-1-1 call handling and dispatch. Land Mobile Radio (LMR) systems, used by the overwhelming majority of public safety agencies across the country, have become more susceptible to cyber attacks through increased integration with other systems, as the Cybersecurity and Infrastructure Security Agency (CISA) noted in a recently published guide for LMR security

For both of these mission-critical networks, it is vitally important to have the ability to detect and stop these increasingly sophisticated attacks. PSAPs and agencies should ensure they have 24/7 monitoring in place for both their mission-critical systems and IT networks to spot any abnormal activities. A comprehensive cyber incident response and disaster recovery plan that’s regularly tested is another must-have in today’s environment. 


You don’t have to be a clairvoyant to understand that SocGholish is no treat for IT and security teams. The dangers it presents are very real, as malware infections can lead to disabled devices, data breaches, disruptions to communications and even downtime — all of which can cost precious minutes in the moments that matter. 

For agencies and organizations without the staff to support 24/7 cybersecurity operations, or to research attacks in depth, a Managed Detection and Response (MDR) service provider like Motorola Solutions can help you better defend against SocGholish and similar threats. Every day, our Advanced Threats and Research team monitors dozens of threat intelligence sources, as well as millions of security alerts from a wide range of public safety and enterprise customers, to identify new attack techniques and emerging risks. 

While there’s no magic spell to avoid cyber threats, engaging a 24/7 SOC with the experience and skillset to monitor and manage sophisticated Endpoint Detection and Response (EDR) tools and detect and shut them down on your behalf can make all the difference when it comes to fighting the evils that lurk when cyber criminals attack your organization. 

Contact us today to find out how our ActiveEye security management platform and 24/7 SOC can help you defend against threats.

Contact us to find out more about our solutions and services.

Contact Us

Leave a Comment