Threat actors linked to the RomCom group have been observed using the SocGholish JavaScript loader to deliver the Mythic Agent to a US-based civil engineering company. This event marks the first time that a RomCom payload distributed through SocGholish has been detected.
The attack has been attributed with medium-high confidence to Unit 29155 of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). The targeted entity is a company that had previously worked for a city with close ties to Ukraine.
The RomCom Alliance and SocGholish
RomCom (also known as Nebulous Mantis, Storm-0978, Tropical Scorpius or UNC2596) is a Russian-aligned threat actor, active since at least 2022, that combines cybercrime and espionage operations. This group is known for using spear-phishing and zero-day exploits to infiltrate networks and deploy their eponymous Remote Access Trojan (RAT). Its primary targets are entities in Ukraine and NATO-related defense organizations.
SocGholish (also known as FakeUpdates or TA569) is a financially motivated initial access broker. Their attack method is based on serving fake browser update alerts (Google Chrome or Mozilla Firefox) on legitimate but compromised websites. By tricking users, the malicious script downloads a loader that subsequently installs additional malware. SocGholish is used by other high-profile threat actors including Evil Corp, LockBit, Dridex, and Raspberry Robin.
The Chain of Infection
The infection chain analyzed by Arctic Wolf Labs revealed the following steps:
- Initial Compromise: The actor exploits known vulnerabilities in plugins to inject malicious JavaScript code into poorly protected websites.
- User Attraction: The JavaScript code displays a fake browser update alert to trick the user into downloading the SocGholish loader.
- Payload Delivery: Once the SocGholish loader runs on the compromised machine, it establishes a reverse shell with a command and control (C2) server.
- Mythic Agent deployment: Through the reverse shell, attackers execute commands to perform reconnaissance tasks and deploy a custom Python backdoor called VIPERTUNNEL. A RomCom-linked DLL loader is also provided that starts the Mythic Agent.
- Reconnaissance and C2: The Mythic Agent is a cross-platform post-exploitation framework that allows attackers to execute commands, perform file operations, and maintain persistence.
Target Check and Attack Speed
Analysis of the incident highlighted that the delivery of the RomCom payload does not occur immediately after the initial infection. The process includes a check of the victim’s Active Directory domain to confirm that it matches a value preset by the threat actor.
Although the attack was blocked before it could progress significantly, the incident underscores the RomCom actor’s continued interest in attacking Ukraine-related entities, even if the connection is indirect. The speed of the attack, with less than 30 minutes from initial infection to delivery of the RomCom loader, demonstrates the potency of SocGholish as a threat to organizations globally.
Conclusion
The collaboration between access broker SocGholish and spy group RomCom illustrates an evolving tactic in malware distribution. The speed of initial infection and target verification demonstrates the sophistication of current campaigns. Organizations should be alert to SocGholish TTPs, which target vulnerabilities in website plugins, and the persistent threat posed by groups like RomCom.