Don't Ghost the SocGholish: GhostWeaver Backdoor

SUMMARY :

The article details a sophisticated malware infection chain involving SocGholish, MintsLoader, and the GhostWeaver backdoor. The attack begins with a fake browser update, progressing through multiple stages to deploy a PowerShell backdoor and various plugins. These components work together to steal sensitive information, including browser credentials, cryptocurrency wallet data, and Outlook contents. The malware utilizes advanced techniques such as process injection, JA3 fingerprint manipulation, and web injection to evade detection and intercept user data. The attackers primarily target non-AD-joined machines, suggesting a focus on smaller organizations or individual users with weaker security measures.

OPENCTI LABELS :

backdoor,powershell,socgholish,netsupport rat,credential theft,cryptocurrency,boinc,fakeupdates,mintsloader,ghostweaver,web injection,juniper stealer


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Don't Ghost the SocGholish: GhostWeaver Backdoor