惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

F
Fortinet All Blogs
Attack and Defense Labs
Attack and Defense Labs
V2EX - 技术
V2EX - 技术
O
OpenAI News
S
Secure Thoughts
H
Heimdal Security Blog
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Schneier on Security
Schneier on Security
H
Hacker News: Front Page
S
Security Affairs
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Vercel News
Vercel News
Microsoft Security Blog
Microsoft Security Blog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
P
Proofpoint News Feed
The Register - Security
The Register - Security
GbyAI
GbyAI
Cloudbric
Cloudbric
MongoDB | Blog
MongoDB | Blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
K
Kaspersky official blog
Forbes - Security
Forbes - Security
Y
Y Combinator Blog
C
CXSECURITY Database RSS Feed - CXSecurity.com
Scott Helme
Scott Helme
Hacker News - Newest:
Hacker News - Newest: "LLM"
The Cloudflare Blog
Recorded Future
Recorded Future
人人都是产品经理
人人都是产品经理
Cyberwarzone
Cyberwarzone
C
CERT Recently Published Vulnerability Notes
Webroot Blog
Webroot Blog
C
Cyber Attacks, Cyber Crime and Cyber Security
L
LangChain Blog
T
Tor Project blog
Microsoft Azure Blog
Microsoft Azure Blog
博客园_首页
Hacker News: Ask HN
Hacker News: Ask HN
Blog — PlanetScale
Blog — PlanetScale
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
B
Blog RSS Feed
N
News and Events Feed by Topic
阮一峰的网络日志
阮一峰的网络日志
I
Intezer
V
V2EX
T
Tailwind CSS Blog
SecWiki News
SecWiki News
NISL@THU
NISL@THU
C
Check Point Blog

Threat Walkthroughs – ThreatDown by Malwarebytes

Fake Booking.com emails target hotels Phishers go “interplanetary” to get company login credentials “Enhanced Bonus” QR code phish steals Microsoft credentials USB worms: Still wriggling on to under-protected computers after all these years Analyzing a Mispadu Trojan’s attack chain How a clipboard hijacker delivers Lumma Stealer - ThreatDown by Malwarebytes Clipboard hijacker tries to install a Trojan A visit to a print shop put a password stealer on a co-worker’s laptop Watch out! Mobidash Android adware spread through phishing and online links
Web shop spreads SocGolish malware and steals credit cards
Pieter Arntz · 2025-01-15 · via Threat Walkthroughs – ThreatDown by Malwarebytes
Ring

A web shop selling jewelry was found with code belonging to two web skimmers and the SocGolish Trojan downloader.

Something that people often overlook when they think about malware is that a vulnerable machine doesn’t stop being vulnerable after it’s been infected, and so it may be compromised in more than one way.

We recently found an example of this while visiting a US jewelry website—we noticed a couple of alerts about blocked domains that triggered our interest because they were completely unrelated to each other, suggesting multiple infections. (We have reached out to the websites affected in this story.)

We recognized one as a SocGolish middlewear domain and the other as a Magecart credit card skimmer. Not a nice combo to present your customers with, if you ask me.

Let’s dig in.

This is the malicious traffic our research revealed:

Malicious traffic from one web store
Traffic to two credit card skimmers and SocGholish

The domain javalibraryeuro[.]com has been on our radar since October 2024, for acting as a command and control (C2) server for a Magecart campaign.

Magecart is a notorious cybercriminal group known for its credit card skimming attacks on e-commerce websites. Its main technique is to inject malicious JavaScript code into targeted websites, often by compromising third-party services the sites use.

The domain tapisroulantstore[.]it is a legitimate site, but the JavaScript hosted there does not even try to hide what it does:

Credit card skimmer code
Credit card skimmer code

SocGholish

While falling victim to credit card skimmers is bad enough on its own, getting your system infected with SocGholish is another level of dangerous.

SocGholish is a sophisticated JavaScript malware framework that has been actively used by cybercriminals since at least 2017. It tricks users into running a script supposedly meant to update their browser. What it actually does is infect the machine and send the details back to a human operator, who can decide how best to monetize it.

A typical SocGholish lure.
A typical SocGholish lure to get people to install malware

In this case, SocGholish is not hosted directly on the website but takes a few steps to the actual malicious code. In the traffic analysis, you can see monsterpword[.]com/assets/table.js script is loaded, which itself loads another script from yet another URL, dashnex.plexusmarket[.]fund, a domain we’ve been blocking since November 2024.

JavaScript code that loads another malicious JavaScript file.
JavaScript code that loads another malicious JavaScript file.

The script from dashnex.plexusmarket[.]fund is highly obfuscated, but after a cleanup it looks like this:

Cleaned up SocGholish code
Cleaned up SocGholish code

The decodeBase64 function decodes a Base64-encoded string. It uses a character set to map characters to their respective indices and constructs the original string from the decoded bytes.

The processData function takes the decoded data and a key, then performs a simple XOR operation character by character to encrypt or decrypt the data.

Since SocGolish is basically a Trojan downloader, its human operator can use it to download whatever malware will best monetize the compromised machine. It could be used to download an information stealer, or if the victim is deemed important enough, ransomware.

How a bit of shopping while using a company computer led to a full-blown ransomware attack is not something you want to have to explain to your boss or IT team.

IOcs

The malicious domains mentioned in this blog post are all blocked by ThreatDown and Malwarebytes web protection modules:

javalibraryeuro[.]com

monsterpword[.]com

dashnex.plexusmarket[.]fund