GOLD PRELUDE

GOLD PRELUDE is a financially motivated cybercriminal threat group that operates the SocGholish (aka FAKEUPDATES) malware distribution network. SocGholish, first appearing in late 2017 and rising to prominence in mid-2018, has been used to describe both the web drive-by download network used to infect victims and the JavaScript-based loader malware that targets Windows systems. GOLD PRELUDE operates a large global network of compromised websites, frequently running vulnerable content management systems (CMS), that redirect into a malicious traffic distribution system (TDS). The TDS, which researchers at Avast have named Parrot TDS, uses opaque criteria to select victims to serve a fake browser update page. These pages, which are customized to the specific visiting browser software, download the JavaScript-based SocGholish payload frequently embedded within a compressed archive.

SocGholish uses IP-based geolocation to restrict infections to hosts in North America, Europe, and a small number of Asian-Pacific nations. If executed, SocGholish transmits a cursory profile of the infected host, including details like user name, domain name, and a process list, to C2 servers. The C2 then sends additional reconnaissance commands if the system is deemed valuable, usually determined by its status as a member of an Active Directory domain. Based on this additional information the C2 server may then transmit additional malware payloads. These payloads may include the NetSupport RAT or Cobalt Strike and are typically followed by interactive access by a human operator. Since at least 2019, the GOLD DRAKE threat group has made extensive use of SocGholish as an initial access vector (IAV) in intrusions intended to deploy ransomware, most recently LockBit.