Friday, January 24, 2025
HomeCyber AttackBeware Of Fake Browser Updates That Installs Malicious BOINC Infrastructre

Beware Of Fake Browser Updates That Installs Malicious BOINC Infrastructre

Published on

SIEM as a Service

Follow Us on Google News

SocGholish malware, also known as FakeUpdates, has exhibited new behavior since July 4th, 2024, as the infection chain still begins with a compromised website prompting a fake browser update. 

Downloading the update triggers malicious code that fetches additional malware. Unlike prior campaigns where SocGholish installed common RATs, recent attacks involved the execution of additional files and scripts, deviating from the usual patterns.  

Infection Chain

The initial malicious Javascript downloads a PowerShell script that bypasses AMSI and fetches the next stage loader from a DGA-generated domain.

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo

This second stage decodes, decrypts, and decompresses a third-stage PowerShell script using a Base64 encoded string, a hardcoded XOR key, and Gzip compression. The functionality can be replicated in CyberChef to reveal the final AsyncRAT payload.  

CyberChef recipe to decode the obfuscated AsyncRAT PowerShell commands.

Stage 3 of the AsyncRAT malware uses various techniques to detect virtualized environments, which check for specific strings in system information like “VMware” or “VirtualBox” and assign scores. 

A higher score indicates a higher likelihood of being in a virtual machine, and the final score is then incorporated into a cURL request parameter along with a randomly generated domain name fetched by the Domain Generation Algorithm (DGA).

If the score passes the threshold on the C2 server, the final AsyncRAT payload is delivered.  

 The domain used by the final AsyncRAT payload.

A malicious PowerShell script disguised as a BOINC software installation uses cURL to download a file and then creates a random directory and file name, downloads a ZIP archive, extracts it, renames a file likely containing malware (BOINC.exe), and creates a scheduled task to execute it. 

To potentially evade detection, the script removes itself and creates a registry value with a misspelled key name (“ExpirienceHost”) as a possible infection marker. 

Strings from the process memory of PowerShell show the scheduled task creation.

SocGholish malware is abusing BOINC, an open-source distributed computing software, to create a command-and-control (C2) server by installing a disguised BOINC client that connects to a malicious server instead of legitimate BOINC servers. 

While no malicious tasks have been observed yet, the attacker can potentially steal information, transfer files, or execute further malware on the infected hosts.

Malicious server project status page.

An AsyncRAT infection was discovered through the analysis of scheduled tasks, which include malicious PowerShell commands disguised within log file names and executed by a headless Conhost process. 

It establishes persistence for the AsyncRAT and maintains connections to its C2 server, and tasks associated with a BOINC client were found, which may be a downloaded component for cryptocurrency mining or other purposes. 

According to Huntress, the techniques used in this attack closely resemble those linked to the SocGholish malware family, particularly its use of fake browser updates for initial access and obfuscated PowerShell downloads for AsyncRAT deployment.  

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

Raga Varshini
Raga Varshini
Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Latest articles

Critical Vulnerability in Next.js Framework Exposes Websites to Cache Poisoning and XSS Attacks

A new report has put the spotlight on potential security vulnerabilities within the popular...

New Cookie Sandwich Technique Allows Stealing of HttpOnly Cookies

The "Cookie Sandwich Attack" showcases a sophisticated way of exploiting inconsistencies in cookie parsing...

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Critical Vulnerability in Next.js Framework Exposes Websites to Cache Poisoning and XSS Attacks

A new report has put the spotlight on potential security vulnerabilities within the popular...

New Cookie Sandwich Technique Allows Stealing of HttpOnly Cookies

The "Cookie Sandwich Attack" showcases a sophisticated way of exploiting inconsistencies in cookie parsing...

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...