Fake Browser Updates Lead to BOINC Volunteer Computing Software
July 22, 2024, 4:13 p.m.
Tags
External References
Description
This report details a recent malware campaign involving the infamous SocGholish/FakeUpdates malware, which tricks users into downloading fake browser updates. However, instead of installing common remote access tools (RATs) as the final payload, some infections resulted in the installation of the legitimate but maliciously misused BOINC (Berkeley Open Infrastructure for Network Computing) software, likely as a mechanism for gaining remote access and control over infected systems. The actors leveraged obfuscated PowerShell scripts and scheduled tasks for persistence, and connected to malicious BOINC servers hosted on domains like rosettahome.top and rosettahome.cn. While the threat actors' motivations are unclear, the illicit use of BOINC represents a novel technique for establishing command and control over compromised hosts.
Date
Published: July 22, 2024, 3:56 p.m.
Created: July 22, 2024, 3:56 p.m.
Modified: July 22, 2024, 4:13 p.m.
Indicators
c5bfe4ddcf576b432f4e6ccce10dd3d219ee5f54497e0cc903671783924414a6
91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3
4716011ca9325480069bffeb2bbe0629fec6e5f69746f2e47f0a6894f2858c0b
01a8aeb0b350a1325c86c69722affd410ff886881a405743e1adb23538eff119
380bd5f097b8501618cf8b312d68e97b3220c31172f82973fce3084157caa15e
64.94.84.200
64.7.199.144
5.161.214.209
216.245.184.105
104.238.34.204
104.200.73.68
rzegzwre.top
rosettahome.cn
rosetta.top
rosetta.cn
klmnnilmahlkcje.top
ga1yo3wu78v48hh.top
Attack Patterns
AsyncRAT
SocGholish
T1036.004
T1053.005
T1059.003
T1059.001
T1071.001
T1070.004
T1082
T1105
T1027
T1553
T1112
T1059