Russian RomCom Utilizing SocGholish to Deliver Mythic Agent to U.S. Companies Supporting Ukraine
Russian-aligned threat actor RomCom, assessed to be GRU Unit 29155, utilized the SocGholish malware delivery framework to target a U.S. company supporting Ukraine. The attack chain leveraged fake browser updates to establish initial access, followed by the rapid deployment of a custom Python backdoor (VIPERTUNNEL) and a targeted Mythic Agent loader.
Authors: Jacob Faires, Arctic Wolf Labs
Source:
Arctic Wolf
- domainemail[.]smashingboss[[.]]comSocGholish payload server and C2 domain.
- domainimprimerie-agp[[.]]comRomCom Mythic C2 domain used to host the clarity.js payload.
- sha256f7605fc8a1ee5f21aec55da04dbaa95a05db95b5e7851b172a5d30c7fb1da885SHA-256 hash of the malicious SocGholish JavaScript payload (Chome_Latest_Version.js).
Key Takeaways
- First observed instance of a RomCom payload being distributed by the SocGholish malware framework.
- The attack targeted a U.S. civil engineering firm with ties to Ukraine, aligning with RomCom's pro-Russian objectives.
- The infection chain leveraged fake browser updates to deliver malicious JavaScript, establishing initial access.
- Attackers deployed VIPERTUNNEL (a Python backdoor) and a RomCom Mythic loader within 30 minutes of initial access.
- Arctic Wolf Labs assesses with high confidence that Russia's GRU Unit 29155 is utilizing SocGholish to target victims.
Affected Systems
- Windows OS
- Active Directory environments
- Web Browsers (targeted by fake updates)
Attack Chain
The attack begins with a drive-by compromise where a user visits a compromised website and is prompted to download a fake browser update. Executing the downloaded JavaScript (SocGholish) establishes a reverse shell, allowing operators to conduct Active Directory reconnaissance using obfuscated PowerShell commands. The attackers then deploy VIPERTUNNEL, a custom Python backdoor, establishing persistence via scheduled tasks. Finally, a RomCom Mythic loader (msedge.dll) is delivered, which verifies the target's Active Directory domain before decrypting and executing a Mythic dynamichttp agent in memory.
Detection Availability
- YARA Rules: Yes
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
- Platforms: Ditekshen
The article references a publicly available YARA rule (MALWARE_Win_RomCom_Loader) authored by Ditekshen for detecting the RomCom loader.
Detection Engineering Assessment
EDR Visibility: High — The attack relies heavily on PowerShell execution, scheduled task creation, and DLL loading, all of which generate robust telemetry in modern EDR solutions. Network Visibility: Medium — While C2 traffic uses standard HTTPS, the domains and specific URI patterns can be monitored, though the payload itself is encrypted. Detection Difficulty: Moderate — The use of obfuscated PowerShell (e.g., p""owershell) and legitimate tools (tar, 7za) requires behavioral analytics rather than simple string matching.
Required Log Sources
- Process Creation (Event ID 4688 / Sysmon 1)
- PowerShell Operational (Event ID 4104)
- Scheduled Task Creation (Event ID 4698)
- File Creation (Sysmon 11)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for PowerShell executions containing quote characters inserted to evade string matching (e.g., p""owershell). | Process Command Line | Execution | Low |
| Identify scheduled tasks created to execute pythonw.exe from non-standard directories like C:\programdata\Scripts. | Scheduled Task Creation / Process Creation | Persistence | Low |
| Monitor for msedge.exe loading msedge.dll from unexpected locations or exhibiting anomalous network connections. | Image Load / Network Connections | Execution | Medium |
| Detect PowerShell commands querying Active Directory using System.DirectoryServices.DirectorySearcher. | PowerShell Script Block Logging | Discovery | Medium |
Control Gaps
- Lack of application allowlisting allowing execution from user-writable directories
- Insufficient DNS filtering for newly registered domains
Key Behavioral Indicators
- Obfuscated PowerShell syntax (p""owershell)
- pythonw.exe execution from C:\programdata
- msedge.dll loaded via CLSID abuse
- HTTP responses with nginx/1.24.0 in headers but nginx/1.18.0 in body
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Block known SocGholish and RomCom C2 domains and IPs.
- Quarantine endpoints exhibiting suspicious PowerShell activity or unexpected pythonw.exe execution.
Infrastructure Hardening
- Implement DNS filtering to block known bulletproof hosting ASNs.
- Enable LSA protection to reduce credential theft impact.
- Implement application allowlisting to prevent execution from user-writable directories like C:\programdata.
User Protection
- Ensure browsers and plugins are regularly patched via official channels.
- Deploy memory scanning capabilities to detect in-memory payloads.
Security Awareness
- Educate users on the dangers of fake update prompts.
- Implement regular user awareness training including phishing simulations.
MITRE ATT&CK Mapping
- T1189 - Drive-By Compromise
- T1059.007 - JavaScript
- T1547.001 - Registry Run Keys / Startup Folder
- T1053.005 - Scheduled Task/Job
- T1574.001 - DLL Search Order Hijacking
- T1112 - Modify Registry
- T1071.001 - Web Protocols
Additional IOCs
- Ips:
135[.]125[.]255[[.]]39- RomCom Mythic C288[.]119[.]174[[.]]128- RomCom Mythic C2193[.]233[.]205[[.]]14- RomCom Mythic C2162[.]248[.]227[[.]]182- RomCom Mythic C2104[.]238[.]61[[.]]141- RomCom Mythic C2194[.]36[.]209[[.]]127- RomCom Mythic C238[.]114[.]101[[.]]139- RomCom Mythic C2157[.]254[.]167[[.]]144- SocGholish C22[.]59[.]161[[.]]132- SocGholish C2
- Domains:
orlandoscreenenclosure[[.]]net- RomCom Mythic C2basilic[[.]]info- RomCom Mythic C2ozivoice[[.]]com- RomCom Mythic C2solarrayes[[.]]com- RomCom Mythic C2srlaptop[[.]]com- RomCom Mythic C2carnesmemdesa[[.]]com- RomCom Mythic C2realty[.]yourpgcountyliving[[.]]com- SocGholish Payload Servervirtual[.]urban-orthodontics[[.]]com- SocGholish Payload Serverafrica[.]thesmalladventureguide[[.]]com- SocGholish Payload Server
- Urls:
https[:]//imprimerie-agp[.]com/s/0.7.8/clarity.js- RomCom Mythic C2 payload URLhxxps://email[.]smashingboss[.]com/pixel.png- SocGholish check-in URL
- File Hashes:
9912bb2d82218ba504c28e96816315b3(MD5) - MD5 hash of Chome_Latest_Version.js
- File Paths:
c:\programdata\Scripts\pythonw.exe- Path used for executing the VIPERTUNNEL Python backdoor.
- Command Lines:
- Purpose: Active Directory reconnaissance | Tools:
PowerShell| Stage: Discovery - Purpose: Establish persistence for Python backdoor | Tools:
PowerShell,Scheduled Tasks| Stage: Persistence - Purpose: Test connection to Mythic C2 | Tools:
PowerShell| Stage: Command and Control |Invoke-WebRequest -uri - Purpose: Extract and execute Python payload | Tools:
PowerShell,tar,7za.exe| Stage: Execution |tar -xf c:\programdata\x64.zip -C c:\programdata\
- Purpose: Active Directory reconnaissance | Tools: