ET MALWARE SocGholish Domain in TLS SNI (ghost . 8. rules) 2043158 - ET MALWARE SocGholish Domain in DNS Lookup (canonical . rules) Summary: 2 new OPEN, 4 new PRO (2 + 2) Added rules: Open: 2047650 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* . taxes. The sendStatistics function is interesting, it creates a variable i of type Image and sets the src to the stage2 with the argument appended to it. Deep Malware Analysis - Joe Sandbox Analysis ReportDNS Lookups Explained. These cases highlight. gay) (malware. Summary: 4 new OPEN, 6 new PRO (4 + 2) Thanks @g0njxa, @Jane_0sint Added rules: Open: 2046302 - ET PHISHING Known Phishing Related Domain in DNS Lookup (schseels . rules) 2852843 - ETPRO PHISHING Successful Generic Phish 2022-11-22 (phishing. excluded . 2039831 - ET MALWARE SocGholish Domain in DNS Lookup (montage . rpacx[. If the target is domain joined, ransomware, including but not limited to WastedLocker, Hive, and LockBit, is commonly deployed according to a variety of incident response journals. akibacreative . 2044028 - ET MALWARE ConnectWise ScreenConnect Payload Delivery Domain (win01 . But in recent variants, this siteurl comment has since been removed. com) (malware. rules) 2049119 - ET EXPLOIT D-Link DSL-…. Summary: 3 new OPEN, 6 new PRO (3 + 3) Thanks @travisbgreen Added rules: Open: 2047862 - ET WEB_SPECIFIC_APPS Openfire Authentication Bypass With RCE (CVE-2023-32315) (web_specific_apps. Just like many other protocols themselves, malware leverages DNS in many ways. The attackers leveraged malvertising and SEO poisoning techniques to inject. com) 3936. Summary: 4 new OPEN, 6 new PRO (4 + 2) Thanks @g0njxa, @Jane_0sint Added rules: Open: 2046302 - ET PHISHING Known Phishing Related Domain in DNS Lookup (schseels . Nicholas Catholic School is located in , . Kokbot. novelty . ET INFO Observed ZeroSSL SSL/TLS Certificate. rules)2042955 - ET MALWARE SocGholish Domain in DNS Lookup (brooklands . Summary. 7 - Destination IP: 8. No debug info. rules) 2044958 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (jquery01 . GootLoader: The Capable First-Stage Downloader GootLoader, active since late 2020, can deliver a. SocGholish is the name of a newly identified toolkit used by cybercriminals. Added rules: Open: 2044680 - ET EXPLOIT Possible Microsoft Outlook Elevation of Privilege Payload. The BLISTER and SocGholish malware families were used to deliver malware onto systems including LockBit ransomware as the final payload. com) (malware. K. SocGholish contains code to gather information on the victim’s computer, including whether or not it is a part of a wider network, before delivering a malicious payload. solqueen . exe" AND CommandLine=~"wscript. Domain shadowing allows the SocGholish operators to abuse the benign reputations of the compromised domains and make detection more difcult. fl2wealth . Summary: 10 new OPEN, 10 new PRO (10 + 0) Thanks @Fortinet, @Jane_0sint, @sekoia_io Added rules: Open: 2046690 - ET MALWARE WinGo/PSW. mathgeniusacademy . com) (malware. iglesiaelarca . URLs caused by Firefox. The first is. 223 – 77980. photo . ID Name References. rules) 1. The code is loaded from one of the several domains impersonating. exe” with its supporting files saved under the %Appdata% directory, after which “whost. {"payload":{"allShortcutsEnabled":false,"fileTree":{"":{"items":[{"name":"2021-08-16 BazarLoader IOCs","path":"2021-08-16 BazarLoader IOCs","contentType":"file. "| where InitiatingProcessCommandLine == "Explorer. FakeUpdates) malware incidents. Post Infection: First Attack. 4. Crimeware. rules) 2044959 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (jquery-bin . New one appeared today - Snort blocked a DNS request from pihole with rule number 2044844, "ET TROJAN SocGholish Domain in DNS Lookup (unit4 . dianatokaji . com) (malware. ]net belongs to a legitimate website that has been hacked and where an iframe from chrom-update[. These opportunistic attacks make it. netpickstrading . iexplore. com)" Could this be another false positive? Seems fairly specific like a host was trying to phone home. rules)SocGholish is typically distributed through URLs that appear legitimate and are often included in benign automated emails or shared between users. novelty . SocGholish Becomes a Fan of Watering Holes. The SocGholish campaign is suspected to be linked to the Russian threat actor known as “Evil Corp”. 3stepsprofit . rules) 2043993 - ET MALWARE Observed DNS Query to IcedID Domain (nomaeradiur . everyadpaysmefirst . betting . SOCGHOLISH. com) (malware. rules) 2039752 - ET MALWARE SocGholish CnC Domain in DNS Lookup (campaign . rules) Summary: 31 new OPEN, 31 new PRO (31 + 0) Thanks @bizone_en, @travisbgreen Added rules: Open: 2047945 - ET MALWARE Win32/Bumblebee Loader Checkin Activity (set) (malware. firstmillionaires . The Proofpoint Emerging Threats team has developed effective prevention strategies for TA569 and SocGholish infections. rules) 2044844 - ET MALWARE SocGholish Domain in DNS Lookup (unit4 . Raw Blame. bi. Fakeapp. ET TROJAN SocGholish Domain in DNS Lookup (unit4 . RogueRaticate/FakeSG, a newer threat, injects obfuscated JavaScript code into stage 1 websites and uses Keitaro TDS for payload delivery. That is to say, it is not exclusive to WastedLocker. End goal by the end of the year is to develop a rudimentary obfuscation detection and JavaScript deobfuscator specific for SOCGholish. The emergence of BLISTER malware as a follow-on payload (more on that below) may be related to this rise, and the 1. onion Proxy Service SSL Cert (2) (policy. svchost. Summary: 41 new OPEN, 49 new PRO (41 + 8) Thanks @Doctor_Web, @Trustwave, @rmceoin, @_tweedge The Emerging Threats mailing list is migrating to Discourse. rules) 2047059 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (chestedband . The file names do resemble a SocGholish fakeupdate for Chrome browser campaign and infection so let’s analyze them. It writes the payloads to disk prior to launching them. Left unchecked, SocGholish may lead to domain discovery. ET INFO Observed ZeroSSL SSL/TLS Certificate. update' or 'chrome. 2045621 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (deeptrickday . Changes include an increase in the quantity of injection. Beyond the reconnaissance stage, Black Basta attempts local and domain level privilege escalation through a variety of exploits. I’ve seen the “Fake Updates” or SocGholish breed of malware both at work and during personal research, so I decided to begin here. net <commands> (commands to find targets on the domain) Lateral Movement: jump psexec (Run service EXE on remote host) jump psexec_psh (Run a PowerShell one-liner on remote host via a service) jump winrm (Run a PowerShell script via WinRM on remote host) remote-exec <any of the above> (Run a single command using. rules) Modified inactive rules: 2003604 - ET POLICY Baidu. CN. Please visit us at We will announce the mailing list retirement date in the near future. This type of behavior is often a precursor to ransomware activity and should be quickly quelled to prevent further. teamupnetwork . However, the registrar's DNS is often slow and inadequate for business use. 1. This is represented in a string of labels listed from right to left and separated by dots. d37fc6. Eventing Sources: winlogbeat-* logs-endpoint. 3stepsprofit . rules) 2043005 - ET MALWARE SocGholish Domain in DNS Lookup (exclusive . org) (malware. rules) 2047946 - ET MALWARE Win32/Bumblebee Lo…. nodirtyelectricity . CCM CnC Domain in DNS Lookup. js and the domain name’s deobfuscated form. rules)2049261 - ET INFO File Sharing Service Domain in DNS Lookup (ufile . tropipackfood . Detecting deception with Google’s new ZIP domains . com). xyz) Source: et/open. Proofpoint typically attributes SocGholish campaigns to a threat actor known as TA569. Potential SocGholish C2 activity can be identified with the following domain patterns observed during various investigations: [8 random hex. K. Third stage: phone home. Got Parrable domain alarms and SOCGholish DNS Requests very roughly around the same time. To improve DNS resolution speed, use a specialized DNS provider with a global network of servers, such as Cloudflare, Google, and OpenDNS. com) (malware. rules) 2046301 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* . Summary: 1 new OPEN, 10 new PRO (1 + 9) SocGholish, Various Android Mobile Malware, Phshing, and Silence Downloader Please share issues, feedback, and requests at Feedback Added rules: Open: 2039766 - ET MALWARE SocGholish CnC Domain in DNS Lookup (rate . 75 KB. The actor email addresses used can differ, and the domain names include the following (in most- to least-used order): PROTONMAIL. siliconvalleyga . The “SocGholish” (aka FakeUpdates) malware distribution framework has presented a gripping tale of intrigue and suspense for ReliaQuest this year. Cobalt Strike, a mainstay of the top five spots every month this year, curiously dropped all the way down to the twelfth spot. 2045884 - ET EXPLOIT_KIT Observed Balada TDS Domain (scriptsplatform . Conclusion. 通常、悪性サイトを通じて偽のアップデートを促し、マルウェアの含まれるZipファイルなどをダウンロードさせます。. Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full reportSocGholish(aka FakeUpdates) is a JavaScript-based malware that masquerades as a legitimate browser update delivered to victims via compromised websites. majesticpg . signing . rules) Pro: 2854655 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware. SocGholish Diversifies and Expands Its Malware Staging Infrastructure. rules) 2044030 - ET MALWARE SocGholish Domain in DNS Lookup (smiles . In the past few months Proofpoint researchers have observed changes in the tactics, techniques, and procedures (TTPs) employed by TA569. judyfay . S. rules) 2043007 - ET MALWARE SocGholish Domain in DNS Lookup (internship . SocGholish establishes an initial foothold onto victim networks that threat actors use for further targeting with ransomware. rules)Disabled and modified rules: 2025019 - ET MALWARE Possible NanoCore C2 60B (malware. Recently, it was observed that the infection also used the LockBit ransomware. 2049261 - ET INFO File Sharing Service Domain in DNS Lookup (ufile . rules) Pro:Since the webhostking[. rules) 2046952 - ET INFO DYNAMIC_DNS HTTP Request to a *. rules) 2852836 - ETPRO MALWARE Win32/Remcos RAT Checkin 851 (malware. SocGholish uses social engineering to prompt Internet users to download fraudulent browser or system upgrades. ]com (SocGholish stage. Figure 19: SocGholish Stage_3: Payload Execution and C2 Figure 20: SocGholish Stage_4: Follow On. Please visit us at We will announce the mailing list retirement date in the near future. _Endpoint, created_at 2022_12_27, deployment Perimeter, deprecation_reason Age, former_category MALWARE, malware_family SocGholish, confidence High, signature_severity Major, updated_at 2022_12_27;). sg) in DNS Lookup (malware. rules)Summary: 32 new OPEN, 33 new PRO (32 + 1) Thanks @Cyber0verload, @nextronsystems, @eclecticiq, @kk_onstantin, @DCSO_CyTec Added rules: Open: 2046071 - ET INFO Observed Google DNS over HTTPS Domain (dns . Summary: 1 new OPEN, 10 new PRO (1 + 9) SocGholish, Various Android Mobile Malware, Phshing, and Silence Downloader Please share issues, feedback, and requests at Feedback Added rules: Open: 2039766 - ET MALWARE SocGholish CnC Domain in DNS Lookup (rate . As you can see today, we are moving our #SocGholish DNS signatures to ET Open to make them available to more of the community. deltavis . ET MALWARE SocGholish Domain in DNS Lookup (ghost . UPDATE June 30: Further investigation by Symantec has confirmed dozens of U. SocGholish(別名:FAKEUPDATE) は マルウェア です。. com) (malware. rules) Pro: 2854442 - ETPRO MALWARE Kimsuky APT Related Activity (malware. 8Summary: 10 new OPEN, 21 new PRO (10 + 11) The Emerging Threats mailing list is migrating to Discourse. Follow the steps in the removal wizard. exe. Initial access brokers use tools like NetSupport RAT to gather information and perform additional actions on victims of interest. SocGholish. last edited by thawee . 2044846 - ET MALWARE SocGholish Domain in DNS Lookup (life . NET methods, and LDAP. 2049266 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* . The beacon used covert communication channels with a technique called Domain Fronting. We should note that SocGholish used to retrieve media files from separate web. The first is. com) - Source IP: 192. The payload has been seen dropping NetSupport RAT in some cases and in others dropping Cobalt Strike. topleveldomain To overcome this issue, CryptoLocker uses the C&C register’s random-looking domain names at a rather high rate. rules) Summary: 12 new OPEN, 14 new PRO (12 + 2) Thanks @X1r0z Added rules: Open: 2049045 - ET EXPLOIT Apache ActiveMQ Remote Code Execution Attempt (CVE-2023-46604) (exploit. Investigations into the SOCGholish campaign! End goal by the end of the year is to develop a rudimentary obfuscation detection and JavaScript deobfuscator specific for SOCGholish. 101. ”. Added rules: Open: 2045069 - ET MALWARE Observed DNSQuery to TA444 Domain (altair-vc . com) for some time using the domain parking program of Bodis LLC,. transversalbranding . The sinkhole can be used to change the flow to malicious URLs by entering the fake entry in the DNS. fa CnC Domain in DNS Lookup (mobile_malware. workout . tauetaepsilon . rules) 2045885 - ET ATTACK_RESPONSE Mana Tools-Lone Wolf Admin Panel Inbound (attack_response. SocGholish ushers in the third stage. 2043000 - ET MALWARE SocGholish Domain in DNS Lookup (navyseal . rules) 2047864 -. rules)The NJCCIC has received reports of SocGholish malware using social engineering tactics, dependent upon geolocation, operating system, and browser. Copy link ostjn commented Apr 8, 2018 • edited. me (policy. "The file observed being delivered to victims is a remote access tool. com) (malware. (T1087), Domain Trust Discovery (T1482), File and Directory Discovery (T1083), Network Share Discovery (T1135), Process Discovery (T1057), Remote System. exe. 0, we have seen infections occur down the chain from other malware components as well, such as a SocGholish infection dropping Cobalt Strike, which in turn delivers the LockBit 3 ransomware. S. SocGholish is known for its use of #socialengineering techniques to trick victims into downloading and executing malware. We think that's why Fortinet has it marked as malicious. Read more…. Domain Accounts: At (Linux) Logon Script (Windows) Logon Script (Windows) Obfuscated Files or Information: Security Account Manager: Query Registry:↑ Fakeupdates – Fakeupdates (AKA SocGholish) is a downloader written in JavaScript. FAKEUPDATES is a downloader written in JavaScript that communicates via HTTP. 00663v1 [cs. com) (malware. SocGholish may lead to domain discovery. rules)The compromised infrastructure of an undisclosed media company is being used by threat actors to deploy the SocGholish JavaScript malware framework (also known as FakeUpdates) on the websites of. rules) Pro: Summary: 29 new OPEN, 33 new PRO (29 + 4) Thanks @malPileDriver, @suyog41, @0xToxin, @James_inthe_box, @1ZRR4H, @ShadowChasing1 The Emerging Threats mailing list is migrating to Discourse. COMET MALWARE SocGholish CnC Domain in DNS Lookup (* . rules) Pro: 2854533 - ETPRO INFO Observed Abused CDN Domain in DNS Lookup (info. The first school in Alberta was. univisuo . 2045622 - ET MALWARE SocGholish Domain in DNS Lookup (backroom . seattlemysterylovers . Come and Explore St. From ProofPoint: As informed earlier we had raised a case with Proofpoint to reconsider the domain as the emails have been quarantined. com) (malware. For a brief explanation of the rules, the "ET MALWARE SocGholish Domain in DNS Lookup" rules are for DNS queries to the stage 2 shadowed domains. In addition to script. The SocGholish toolset has been observed in use with a plethora of malware campaigns since 2018. 168. Conclusion. xyz) Source: et/open. We follow the client DNS query as it is processed by the various DNS servers in the. 168. rules) 2045886 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (dns . Zloader infection starts by masquerading as a popular application such as TeamViewer. I tried to model this based on a KQL query, but I suspect I've not done this right at all. These cases highlight. exe. beyoudcor . NOTES: - At first, I thought this was the "SocGholish" campaign, but @SquiblydooBlog and others have corrected my original assessment. ClearFake C2 domains. In contrast, TA569, also known as SocGholish, remained the most effective threat actor in financial services. Please share issues, feedback, and requests at Feedback Added rules: Open: 2038930 - ET EXPLOIT Atlassian Bitbucket CVE-2022-36804 Exploit Attempt (exploit. rules) Pro: 2854628 - ETPRO PHISHING Successful ScotiaBank Credential Phish 2023-06-15 (phishing. Proofpoint first tweeted about SocGholish attacks on November 2, disclosing that the malware has infected over 250 U. You may opt to simply delete the quarantined files. AndroidOS. com) (malware. Indicators of Compromise SocGholish: Static Stage 1: 2047662 - ET MALWARE SocGholish CnC Domain in TLS SNI (* . 8. The file names do resemble a SocGholish fakeupdate for Chrome browser campaign and infection so let’s analyze them. In this particular case, the infected sites’ appearances are altered by a campaign called FakeUpdate (also known as SocGholish), which uses JavaScript to display fake notices for users to update their browser, offering an update file for download. Supply employees with trusted local or remote sites for software updates. rules) Pro: 2852982 - ETPRO PHISHING Twitter Phish Landing Page 2022-12-23 (phishing. 2047975 - ET MALWARE SocGholish Domain in TLS SNI (ghost . rules) 2048125 - ET INFO Kickidler. store) (malware. 192/26. 2039780 - ET MALWARE SocGholish Domain in DNS Lookup (community. rules)2042993 - ET MALWARE SocGholish Domain in DNS Lookup (governing . As such, a useful behavioral analytic for detecting SocGholish might look like the following: process == 'wscript. Scan your computer with your Trend Micro product to delete files detected as Trojan. A recent exception to the use of domain shadowing is a second-stage server hosted on the Amazon Web Services domain d2j09sa r75 l[ . shrubs . Here below, we have mentioned all the malware loaders that were unveiled recently by the cybersecurity experts at ReliaQuest:-. Conclusion. rules) Pro: 2855076 - ETPRO MALWARE Suspected Pen Testing Related Domain in DNS Lookup (malware. This search looks for the execution of with command-line arguments utilized to query for Domain Trust information. cockroachracing . First, click the Start Menu on your Windows PC. com) (malware. xyz) in DNS Lookup (malware. Domain trusts can be enumerated using the DSEnumerateDomainTrusts () Win32 API call, . 8Got Parrable domain alarms and SOCGholish DNS Requests very roughly around the same time; Checked page Source on Parrable[. Summary: 11 new OPEN, 11 new PRO (11 + 0) Thanks @AnFam17, @travisbgreen Added rules: Open: 2046861 - ET MALWARE Kaiten User Agent (malware. Deep Malware Analysis - Joe Sandbox Analysis Report. Mon 28 Aug 2023 // 16:30 UTC. See moreData such as domain trusts, username, and computer name are exfiltrated to the attacker-controlled infrastructure. rules) 2044847 - ET MALWARE TA569 TDS Domain in DNS Lookup (xjquery . rules) 2046174 - ET MALWARE SocGholish Domain in DNS Lookup (roadmap . 4tosocialprofessional . exe. rules) Summary: 19 new OPEN, 19 new PRO (19 + 0) Thanks @naumovax, @Jane_0sint Added rules: Open: 2048124 - ET PHISHING Generic Phishing - Successful Landing Interaction (phishing. nodes . com) (malware. Despite this, Red Canary did not observe any secondary payloads delivered by SocGholish last month. St. exe. harteverything . Malicious actors have utilized Command & Control (C2) communication channels over the Domain Name Service (DNS) and, in some cases, have even used the protocol to exfiltrate data. wonderwomanquilts . rules) 2854532 - ETPRO PHISHING Phishing Domain in DNS Lookup (2023-06-09) (phishing. New one appeared today - Snort blocked a DNS request from pihole with rule number 2044844, "ET TROJAN SocGholish Domain in DNS Lookup (unit4 . rules) 2048388 - ET INFO Simplenote Notes Taking App Domain (app . rules)The only thing I can tell is its due to the cloudflare SSL cert with loads of domains in the alt san field of the cert. akibacreative . rules) 2852960 - ETPRO MALWARE Sylavriu. Over 5 years ago, we began tracking a new campaign that we called FakeUpdates (also known as SocGholish) that used compromised websites to trick. rules) 2039792 - ET MALWARE SocGholish CnC Domain in DNS Lookup (diary . Misc activity. The attack loads…2044793 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* . Please visit us at We will announce the mailing list retirement date in the near future. SocGholish is the oldest major campaign that uses browser update lures. Summary: 28 new OPEN, 29 new PRO (28 +1) CVE-2022-36804, TA444 Domains, SocGholish and Remcos. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. First is the fakeupdate file which would be downloaded to the targets computer. SocGholish. rules)2046271 - ET MALWARE SocGholish Domain in DNS Lookup (toolkit . ru) (malware. Conclusion. DNS and Malware. ET MALWARE SocGholish Domain in TLS SNI (ghost . rules) Pro: 2854672 - ETPRO MALWARE PowerShell/Pantera Variant CnC Checkin (GET) (malware. System. com) (malware. rules). EXE"Nltest may be used to enumerate remote domain controllers using options such as /dclist and /dsgetdc. Protecting against SocGholish One malware injection of significant note was SocGholish, which accounted for over 17. rules). akibacreative . Added rules: Open: 2000345 - ET INFO IRC Nick change on non. These malicious URLs can be gathered from already known C&C servers, through the malware analysis process or open-source sites that. ilinkads . detroitdragway . SocGholish, aka FakeUpdates, malware framework is back in a new campaign targeting U. 8% of customers affected is SocGholish’s high water mark for the year. rules) Modified active rules: 2852922 - ETPRO MALWARE Win32/Screenshotter Backdoor Sending Screenshot (POST) (malware. Among them, the top 3 malware loaders that were observed to be the most active by the security researchers are:-. 2047991 - ET EXPLOIT_KIT ClearFake Domain in TLS SNI (oiuytyfvq621mb . I also publish some of my own findings in the environment independently if it’s something of value. com) (malware. Update. ]net domain has been parked (199. SocGholish reclaimed the top spot in February after a brief respite in January, when it dropped to the middle of the pack. Raw Blame. NLTest Domain Trust Discovery. Misc activity. rules) Pro: 2852976 - ETPRO MALWARE Win32/BeamWinHTTP CnC Activity M1 (POST) (malware. Added rules: Open: 2044078 - ET INFO. rules)This morning I logged into Unifi Network on my UDM and noticed a bunch of threat management notifications of the type ET MALWARE Possible Dyre SSL Cert (fake state). com) (malware. For a brief explanation of the. rules)2044707 - ET MALWARE SocGholish Domain in DNS Lookup (scripts . It is crucial that users become aware of the risks of social engineering and organizations invest in security solutions to protect themselves against this. Linux and Mac users rejoice! Currently this malware can’t be bothered to target you (although that may change in the future for all we know)! SocGholish cid=272 It also appears that the threat actors behind SocGholish use multiple TDS services which can maintain control over infected websites for a prolonged time, thus complicating the work of defenders. covebooks . 2046239 - ET MALWARE SocGholish Domain in DNS Lookup (forbes . services) (malware. rules) 2855077 - ETPRO MALWARE Suspected Pen Testing. jdlaytongrademaker . FAKEUPDATES has led to further compromise via additional malware families that include CHTHONIC, DRIDEX, EMPIRE,. Please visit us at We will announce the mailing list retirement date in the near future. rules) Removed rules: 2014471 - ET POLICY DRIVEBY Generic - EXE Download by Java (policy. Figure 14: SocGholish Overview Figure 15: SocGholish Stage_1: TDS. google . rules) 2046308. rules) 2046241 - ET MALWARE SocGholish Domain in DNS Lookup (superposition . Agent. Please share issues, feedback, and requests at Feedback Added rules: Open: 2038930 - ET EXPLOIT Atlassian Bitbucket CVE-2022-36804 Exploit Attempt (exploit. com) (malware. It is primarily distributed through malicious websites, hijacked domains, and malvertizing posing as a fake Adobe Flash updater. SocGholish script containing prepended siteurl comment But in recent variants, this siteurl comment has since been removed. net. ET MALWARE SocGholish Domain in DNS Lookup (standard . SocGholish has been posing a threat since 2018 but really came into fruition in 2022. " It is the Internet standard for assigning IP addresses to domain names. 7 - Destination IP: 8. Update. com) Nov 19, 2023.