|
|
|
|
|
|
by aviditas
1341 days ago
|
|
|
The last batch of SocGholish I encountered had virtualization checks on each stage and required user interaction to run/open the payload. Used iframes or modified google analytics on the compromised site and used webpress plugins vulns to get access.
The sandboxing checks were crazy good. I ended up getting an old laptop to do the analysis as it detected every other security sandbox tool. The only positive is that the payload (6 months back) itself is easily detected by most edr. Defender caught it on download. +1 to the enjoyable dissection. Rooting out the underlying infra was also very fun. |
|
|