International Law Enforcement Agencies Initiate Operation Against SocGholish Malware Group

In Operation Endgame, a major operation disrupted a key infection chain used by cybercriminals. Within an international cooperation, 14.971 websites infected with SocGholish malware were remediated. This malware is used by a criminal group that plays a pivotal role in international cybercrime, namely: Evil Corp.

SocGholish exploits hacked legitimate WordPress sites to spread malware to visitors, with the aim of gaining unauthorized access to their computer systems. WordPress is the world’s most widely used platform for building websites. According to WordPress, more than 43% of all websites on the internet are powered by WordPress. The login credentials of 1.4 million websites have been leaked. That means these sites are vulnerable to malware infection. About 14.971 sites that provide everyday services have been infected with this malware. This includes websites of restaurants or auto‑garages.

Maikel Rollman, National High Tech Crime Unit: ‘With these actions we deprive cybercriminals of access to infected computer systems. This prevents further damage to the digital systems of citizens, businesses and organizations worldwide and limits the spread of malware. It also reduces the risk that these systems are used for cyber‑attacks on critical infrastructure and other essential societal processes. This marks the beginning of further action against SocGholish.’

14.971 websites remediated and disruption of the SocGholish botnet

In the past week, the Netherlands (NHCTU), Canada (RCMP), the United States (FBI) and Germany (BKA), with support from Europol and Eurojust, delivered a major blow to SocGholish’s criminal infrastructure during a joint action week.

Worldwide, 106 servers and domains were taken down. 14.971 websites have been remediated. In addition, the following actions were carried out:

• Cleaning infected WordPress sites and victim notification, urging previously infected WordPress owners to update their sites and change their login credentials.
• Disabling the SocGholish botnet by taking over domain names and taking servers offline.
• Victim notification for owners of WordPress sites whose leaked login credentials were identified by the police, via HaveIBeenPwned, DIVD, Spamhaus, CheckjeHack, NoMoreLeaks, The Shadowserver Foundation and NCSC (Netherlands).

The Dutch police have removed backdoors and malware from the infected WordPress sites. The owners of these sites have been informed. They are urged to:

• change their login credentials;
• enable multi‑factor authentication;
• delete any unknown additional WordPress accounts;
• keep their WordPress site up‑to‑date in the future.