SocGholish is the name given by infosec researchers to an infrastructure set up by cybercriminals to perform drive-by download attacks. The framework makes liberal use of various social engineering and manipulative tactics that lead users to the infected staging website. SocGholish attempts to trick its targets into executing the corrupted ZIP files it delivers by pretending that they are legitimate updates for browser, Flash, or Microsoft Teams. The primary delivery method is through iFrames that overlay a legitimate website with a corrupted version without the user's knowledge. By leveraging iFrames, the hackers can bypass Web filtering because the website categories are delivered from legitimate ones.
Researchers note that the file delivered by the drive-by attack usually acts as a first-stage payload. It is tasked with scanning the infected system, fetching the intermediate payload, or the final malware threat and executing it. SocGholish has been reported to ultimately deploy the Dridex banking Trojan or a variant of the WastedLocker Ransomware on the compromised computer.