In a troubling development, the SocGholish malware, also known as FakeUpdates, has been found to deploy a remote access trojan (RAT) called AsyncRAT alongside the Berkeley Open Infrastructure Network Computing (BOINC) project. This open-source “volunteer computing” platform, maintained by the University of California, aims to harness the power of home computers for large-scale distributed computing tasks. However, cybercriminals are exploiting it for malicious purposes.
BOINC: From Science to Cybercrime
BOINC is designed to use idle computer resources to perform complex computations, similar to cryptocurrency mining. Participants in the BOINC network are rewarded with a specific type of cryptocurrency called Gridcoin, which incentivizes their contribution to the project. The misuse of such a reputable platform for cyberattacks highlights the increasing sophistication of cybercriminals.
The Mechanism of Attack
Huntress researchers Matt Anderson, Alden Schmidt, and Greg Linares reported that the malicious installations connect to actor-controlled domains (“rosettahome[.]cn” or “rosettahome[.]top”), functioning as command-and-control (C2) servers. These servers collect host data, transmit payloads, and issue further commands. As of mid-July, over 10,000 clients were connected to these domains, indicating the scale of the breach.
While no specific malicious activities have been observed on the infected hosts, it is hypothesized that the compromised connections could be sold as initial access points to other threat actors, potentially facilitating ransomware attacks or other malicious endeavors.
The SocGholish Infection Chain
SocGholish typically spreads through compromised websites that prompt users to download a fake browser update. This update, when executed, retrieves additional payloads and compromises the user’s machine. In this case, the JavaScript downloader activates two separate infection chains: one deploying a fileless variant of AsyncRAT, and the other installing BOINC.
To evade detection, the BOINC app is disguised as legitimate system processes like “SecurityHealthService.exe” or “trustedinstaller.exe.” Persistence is maintained through a scheduled task created by a PowerShell script, ensuring that the malware remains active on the infected machine.
Response from BOINC and Potential Risks
The BOINC project maintainers are aware of this misuse and are investigating ways to counteract the malware. Evidence of this abuse dates back to at least late June 2024. The exact motivation behind using BOINC in these attacks remains unclear. However, researchers warn that infected clients connecting to malicious BOINC servers pose a significant risk. Threat actors could potentially misuse these connections to execute various malicious commands, escalate privileges, or move laterally within a network, compromising entire domains.
The Broader Implications
This incident is part of a broader trend observed by cybersecurity firms. Check Point, for instance, has been tracking the use of compiled V8 JavaScript by malware authors to bypass static detections and deploy various types of malware, including RATs, stealers, loaders, cryptocurrency miners, wipers, and ransomware.
“In the ongoing battle between security experts and threat actors, malware developers keep coming up with new tricks to hide their attacks,” says security researcher Moshe Marelus. “It’s not surprising that they’ve started using V8, as this technology is commonly used to create software. It’s very widespread and extremely hard to analyze.”
Conclusion
The exploitation of BOINC by SocGholish malware underscores the evolving tactics of cybercriminals and the need for robust cybersecurity measures. As threat actors continue to find innovative ways to misuse legitimate platforms, it is crucial for both users and developers to stay vigilant. Maintaining updated security protocols and monitoring for unusual activities can help mitigate such risks. The collaboration between cybersecurity researchers and open-source project maintainers is vital in identifying and addressing these threats promptly.
Follow us on (Twitter) for real time updates and exclusive content.
Pingback: Google's Strategic Shift: Keeping Third-Party Cookies in Chrome