Pierluigi Paganini July 22, 2024

The JavaScript downloader SocGholish (aka FakeUpdates) is being used to deliver the AsyncRAT and the legitimate open-source project BOINC.

Huntress researchers observed the JavaScript downloader malware SocGholish (aka FakeUpdates) that is being used to deliver remote access trojan AsyncRAT and the legitimate open-source project BOINC (Berkeley Open Infrastructure Network Computing Client).

The BOINC project is a “volunteer computing” platform designed for large-scale distributed high-throughput computing using home computers, the University of California maintains the project.

SocGholish attack chain involves a malicious JavaScript file that downloads further stages. In this campaign, the last stage is a fileless AsyncRAT variant and a malicious BOINC installation hosted on rzegzwre[.]top, with BOINC accessed directly by IP. The PowerShell loaders are heavily obfuscated, while the BOINC installation scripts are unobfuscated and include author comments.

“BOINC facilitates connection to a remote server that can collect information and send tasks to the host for execution. The intention is to use “donated” computer resources to contribute to the work of various legitimate science projects. It’s similar to a cryptocurrency miner in that way (using computer resources to do work), and it’s actually designed to reward users with a specific type of cryptocurrency called Gridcoin, designed for this purpose.” reads the report published by Huntress. “These malicious installations of BOINC come configured to connect not to one of the legitimate BOINC servers but instead to a look-a-like server such as Rosettahome[.]top. From a malicious server, host data can be collected, files can be transferred, and any number of tasks can be sent down to the hosts and executed. So basically it can operate as a C2–”

The threat actors use scheduled tasks created at several points in the infection chain to maintain persistence.

As of July 15, 2024, 8,453 clients were connected to rosettahome[.]cn and 1,579 clients to rosettahome[.]top. Interestingly, neither server had executed any tasks on the hosts, indicating that no BOINC communication protocols, such as tasks or computing, had been initiated.

The BOINC Project Administrators and community are aware of the software’s misuse since June 26, 2024. Huntress experts also contacted the BOINC Project to inform them of their observations and tracking of these behaviors.

The report provides indicators of compromise along with Yara and Sigma rules.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, SocGholish)