Fake Browser Updates Lead to BOINC Volunteer Computing Software

July 22, 2024, 4:13 p.m.

Description

This report details a recent malware campaign involving the infamous SocGholish/FakeUpdates malware, which tricks users into downloading fake browser updates. However, instead of installing common remote access tools (RATs) as the final payload, some infections resulted in the installation of the legitimate but maliciously misused BOINC (Berkeley Open Infrastructure for Network Computing) software, likely as a mechanism for gaining remote access and control over infected systems. The actors leveraged obfuscated PowerShell scripts and scheduled tasks for persistence, and connected to malicious BOINC servers hosted on domains like rosettahome.top and rosettahome.cn. While the threat actors' motivations are unclear, the illicit use of BOINC represents a novel technique for establishing command and control over compromised hosts.

External References

https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software
https://otx.alienvault.com/pulse/669e8139fb586f4c5f6c7e82
Tags
2024-07-22
boinc
fakeupdates

Date

  • Created: July 22, 2024, 3:56 p.m.
  • Published: July 22, 2024, 3:56 p.m.
  • Modified: July 22, 2024, 4:13 p.m.

Indicators

  • c5bfe4ddcf576b432f4e6ccce10dd3d219ee5f54497e0cc903671783924414a6
  • 91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3
  • 4716011ca9325480069bffeb2bbe0629fec6e5f69746f2e47f0a6894f2858c0b
  • 01a8aeb0b350a1325c86c69722affd410ff886881a405743e1adb23538eff119
  • 380bd5f097b8501618cf8b312d68e97b3220c31172f82973fce3084157caa15e
  • 64.94.84.200
  • 64.7.199.144
  • 5.161.214.209
  • 216.245.184.105
  • 104.238.34.204
  • 104.200.73.68
  • rzegzwre.top
  • rosettahome.cn
  • rosetta.top
  • rosetta.cn
  • klmnnilmahlkcje.top
  • ga1yo3wu78v48hh.top
Download all indicators here!

Attack Patterns

  • AsyncRAT
  • SocGholish