Skip to main content
Home SocGholish

SocGholish

Also known as: FAKEUPDATES, FakeUpdate

Category: Malware

Type: Drive-by download, trojan

Platform: Windows

Variants: JS.SOCGHOLISH.A, JS.SOCGHOLISH.SMB

Damage potential: Data theft, espionage, network spread, financial loss, identity theft, system compromise

Overview

SocGholish is a type of malware that infiltrates systems through drive-by downloads, often slipping in unnoticed. It employs social engineering tactics, such as posing as fake browser or system updates, to deceive users into downloading it. Once embedded in the system, SocGholish can deploy additional malicious software, including ransomware, banking trojans, and viruses, creating significant cybersecurity risks for the affected users.

Possible symptoms

If your files start disappearing or getting modified without your knowledge, you may suspect an infection. In addition, you may notice the following:

  • Sluggish computer performance.
  • An unusual spike in network traffic.
  • Unauthorized changes in system settings or login attempts.
  • Alerts from security software.
  • Unexpected pop-ups and browser redirects.
  • New and unfamiliar programs.
  • Disabled security features.
  • Changes in web browser settings.

Sources of infection

SocGholish (also known as FakeUpdates) typically spreads through compromised or malware-hosting websites via drive-by downloads that exploit browser vulnerabilities or social engineering tactics. To access your system, malicious actors infect legitimate websites by injecting malicious JavaScript code into them. Once the user visits the infected website, it presents a lure, typically a pop-up that indicates an update is available for their browser or other common software. If a user decides to act and downloads the “update,” SocGholish begins running a malicious JavaScript payload, launching the attack.

SocGholish can also infect users through malicious attachments in phishing emails, and P2P (peer-to-peer) networks. Additionally, cybercriminals might take advantage of vulnerabilities in outdated software to infect devices.

Protection

Always browse with caution to protect your devices from SocGholish.

  • Avoid downloading files or software from unofficial sources.
  • If you get a pop-up for a browser update, open another website to see whether that pop-up remains. If it doesn’t show up, refrain from installing the “update.”
  • Be careful with email attachments, especially from unknown senders. Do not open suspicious links, media, or documents. Never click on update links or files you’ve received via email.
  • Double-check the update before installing it (you can always visit the official website of browser or software to check whether the latest update version matches the one you’ve been prompted to install).
  • Use NordVPN to secure your online traffic.
  • Scan your newly downloaded files for viruses and block malicious websites with NordVPN’s Threat Protection feature.
  • Make sure your operating system and software are updated.
  • Install a reputable antivirus solution.
  • Regularly back up important data.
  • Use strong passwords and two-factor authentication (2FA).

Removal

Follow these steps to remove SocGholish from an infected device with antivirus software:

  • Disconnect from the internet to stop SocGholish from communicating with its command and control server.
  • Boot your device in safe mode.
  • Run a full system scan, remove temporary files, and follow the further instructions provided by your antivirus software.
  • Restart your device.
  • Get in touch with an IT professional if you need further help.