Don't Ghost the SocGholish: GhostWeaver Backdoor
Essential information
- Published
- 17/02/2025 11:10
- Modified
- 17/02/2025 11:24
- Tags
- 2025-02-17 backdoor boinc credential-theft cryptocurrency fakeupdates ghostweaver juniper stealer mintsloader netsupport rat powershell socgholish web injection
- Related entities
- 14 observables, 1 intrusion sets (apt), 17 techniques (mitre), 7 malware
Description
The article details a sophisticated malware infection chain involving SocGholish, MintsLoader, and the GhostWeaver backdoor. The attack begins with a fake browser update, progressing through multiple stages to deploy a PowerShell backdoor and various plugins. These components work together to steal sensitive information, including browser credentials, cryptocurrency wallet data, and Outlook contents. The malware utilizes advanced techniques such as process injection, JA3 fingerprint manipulation, and web injection to evade detection and intercept user data. The attackers primarily target non-AD-joined machines, suggesting a focus on smaller organizations or individual users with weaker security measures.