Fake Browser Updates Lead to BOINC Volunteer Computing Software

July 22, 2024, 4:13 p.m.

Description

This report details a recent malware campaign involving the infamous SocGholish/FakeUpdates malware, which tricks users into downloading fake browser updates. However, instead of installing common remote access tools (RATs) as the final payload, some infections resulted in the installation of the legitimate but maliciously misused BOINC (Berkeley Open Infrastructure for Network Computing) software, likely as a mechanism for gaining remote access and control over infected systems. The actors leveraged obfuscated PowerShell scripts and scheduled tasks for persistence, and connected to malicious BOINC servers hosted on domains like rosettahome.top and rosettahome.cn. While the threat actors' motivations are unclear, the illicit use of BOINC represents a novel technique for establishing command and control over compromised hosts.

Date

Published: July 22, 2024, 3:56 p.m.

Created: July 22, 2024, 3:56 p.m.

Modified: July 22, 2024, 4:13 p.m.

Indicators

c5bfe4ddcf576b432f4e6ccce10dd3d219ee5f54497e0cc903671783924414a6

91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3

4716011ca9325480069bffeb2bbe0629fec6e5f69746f2e47f0a6894f2858c0b

01a8aeb0b350a1325c86c69722affd410ff886881a405743e1adb23538eff119

380bd5f097b8501618cf8b312d68e97b3220c31172f82973fce3084157caa15e

64.94.84.200

64.7.199.144

5.161.214.209

216.245.184.105

104.238.34.204

104.200.73.68

rzegzwre.top

rosettahome.cn

rosetta.top

rosetta.cn

klmnnilmahlkcje.top

ga1yo3wu78v48hh.top

Attack Patterns

AsyncRAT

SocGholish

T1036.004

T1053.005

T1059.003

T1059.001

T1071.001

T1070.004

T1082

T1105

T1027

T1553

T1112

T1059