Beware Of Fake Browser Updates That Installs Malicious BOINC Infrastructre

SocGholish malware, also known as FakeUpdates, has exhibited new behavior since July 4th, 2024, as the infection chain still begins with a compromised website prompting a fake browser update. 

Downloading the update triggers malicious code that fetches additional malware. Unlike prior campaigns where SocGholish installed common RATs, recent attacks involved the execution of additional files and scripts, deviating from the usual patterns.  

Infection Chain

The initial malicious Javascript downloads a PowerShell script that bypasses AMSI and fetches the next stage loader from a DGA-generated domain.

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo

This second stage decodes, decrypts, and decompresses a third-stage PowerShell script using a Base64 encoded string, a hardcoded XOR key, and Gzip compression. The functionality can be replicated in CyberChef to reveal the final AsyncRAT payload.  

CyberChef recipe to decode the obfuscated AsyncRAT PowerShell commands.

Stage 3 of the AsyncRAT malware uses various techniques to detect virtualized environments, which check for specific strings in system information like “VMware” or “VirtualBox” and assign scores. 

A higher score indicates a higher likelihood of being in a virtual machine, and the final score is then incorporated into a cURL request parameter along with a randomly generated domain name fetched by the Domain Generation Algorithm (DGA).

If the score passes the threshold on the C2 server, the final AsyncRAT payload is delivered.  

The domain used by the final AsyncRAT payload.

A malicious PowerShell script disguised as a BOINC software installation uses cURL to download a file and then creates a random directory and file name, downloads a ZIP archive, extracts it, renames a file likely containing malware (BOINC.exe), and creates a scheduled task to execute it. 

To potentially evade detection, the script removes itself and creates a registry value with a misspelled key name (“ExpirienceHost”) as a possible infection marker. 

Strings from the process memory of PowerShell show the scheduled task creation.

SocGholish malware is abusing BOINC, an open-source distributed computing software, to create a command-and-control (C2) server by installing a disguised BOINC client that connects to a malicious server instead of legitimate BOINC servers. 

While no malicious tasks have been observed yet, the attacker can potentially steal information, transfer files, or execute further malware on the infected hosts.

Malicious server project status page.

An AsyncRAT infection was discovered through the analysis of scheduled tasks, which include malicious PowerShell commands disguised within log file names and executed by a headless Conhost process. 

It establishes persistence for the AsyncRAT and maintains connections to its C2 server, and tasks associated with a BOINC client were found, which may be a downloaded component for cryptocurrency mining or other purposes. 

According to Huntress, the techniques used in this attack closely resemble those linked to the SocGholish malware family, particularly its use of fake browser updates for initial access and obfuscated PowerShell downloads for AsyncRAT deployment.  

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

Raga Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

Indonesia Government Data Breach – Hackers Leaked 82 GB of Sensitive Data Online

Hackers have reportedly infiltrated and extracted a vast 82 GB of sensitive data from the Indonesian…

13 hours ago

IBM AIX TCP/IP Vulnerability Lets Attackers Exploit to Launch Denial of Service Attack

IBM has issued a security bulletin warning of two vulnerabilities in its AIX operating system…

15 hours ago

Apache Auth-Bypass Vulnerability Lets Attackers Gain Control Over HugeGraph-Server

The Apache Software Foundation has issued a security alert regarding a critical vulnerability in Apache…

15 hours ago

USA Launched Cyber Attack on Chinese Technology Firms

The Chinese National Internet Emergency Center (CNIE) has revealed two significant cases of cyber espionage…

15 hours ago

Node.js systeminformation Package Vulnerability Exposes Millions of Systems to RCE Attacks

A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing millions…

2 days ago

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer through…

3 days ago