SocGhoulish

SocGhoulish is malware used for initial access activity in intrusions attributed by Varonis to affiliates of the RansomHub ransomware group. In the described incident, the infection began when a user downloaded and executed a fake browser update delivered as a malicious JavaScript file. After execution, the malware immediately performed reconnaissance, including enumeration of Active Directory users and computers, collection of local system information, and searching memory for credentials. Within minutes, the attackers established persistence via a recurring Scheduled Task and deployed second-stage malware consisting of a legitimate Python distribution placed in %LOCALAPPDATA%\ConnectedDevicesPlatform and an encrypted Python script that functioned as a SOCKS proxy, allowing the compromised host to be used as an Internet-accessible pivot into the corporate network. The Python component reportedly used a 10-layer multi-stage encryption and unpacking routine, randomized variable names, and anti-analysis checks including VM detection, debug detection, and process tracing detection. During the intrusion, the operators also modified Outlook email signatures under $env:APPDATA\Microsoft\Signatures to embed a malicious image reference, which Varonis assessed could coerce NTLM authentication on vulnerable clients for credential harvesting. Follow-on activity included searching network shares for credential material such as RDP files, OVPN files, and KeePass vaults, and attempting to decrypt stored Chrome and Edge credentials via DPAPI. The broader intrusion progressed rapidly to high privilege, with Varonis assessing likely abuse of a misconfigured Active Directory Certificate Services ESC1 path to obtain Domain Admin-level access, followed by enabling RDP on targeted administrator systems, creating scheduled tasks for credential and information gathering, and using AzCopy for data exfiltration. The observed targeting was an enterprise Windows/Active Directory environment.