SocGholish spreads ransomware via weaponized software updates

Malicious software updates have been used by the SocGholish malware-as-a-service platform, also known as FakeUpdates, to deliver ransomware and other nefarious information-stealing payloads, reports HackRead. After achieving initial compromise of vulnerable WordPress sites and covertly creating illicit subdomains on trusted websites, TA569, which operates SocGholish, exploits traffic distribution systems to filter victims before acting as an initial access broker to other threat operations, findings from Trustwave SpiderLabs showed. Attacks with SocGholish facilitating the distribution of RansomHub ransomware via malicious Google Ads spoofing the HR portal of Kaiser Permanente have resulted in the compromise of Rite Aid and Change Healthcare, according to researchers, who also noted the Russian state-backed usage of SocGholish to deploy the Raspberry Robin worm. Other payloads delivered via SocGholish included LockBit ransomware, AsyncRAT and other remote access trojans, and several infostealing backdoors. Such findings highlight the significant threat posed by SocGholish.