SocGholish malware [1] [2] [3] [4] [6] [7] [8], also known as FakeUpdates [1] [2] [3] [4] [6] [7], has been active since July 4th, 2024 [8], spreading through fake browser updates to deliver the AsyncRAT trojan and install the BOINC platform on infected systems for cyberattacks.
Description
This new variant of SocGholish malware exhibits new behaviors, including the use of a malicious JavaScript downloader to bypass security measures and retrieve payloads from a random subdomain [8]. The infection chain involves multiple stages [8], with the final payload being an AsyncRAT RAT that checks for virtual machine environments and connects to fake BOINC servers to potentially establish command and control channels [8]. Malicious actors are using scheduled tasks to spread infections and hide malicious activity [8], with evidence of encrypted PowerShell code being downloaded from a C2 server [8]. The malware authors utilize compiled V8 JavaScript to conceal various types of malware, including remote access trojans [1] [2] [5] [6] [7], stealers [2] [4], loaders [1] [2] [4], cryptocurrency miners [2], wipers [2], and ransomware [2] [3]. Persistence is achieved through scheduled tasks using PowerShell scripts [3], posing a high risk for network compromise [3]. The BOINC project maintainers are investigating the issue [3] [6], as over 10,000 clients have been connected to these malicious domains [3]. Infected clients connecting to malicious BOINC servers pose a high risk for potential misuse by threat actors [6] [7]. Organizations are advised to remain vigilant and utilize advanced detection and monitoring services to protect against cyberattacks. The malware connects to actor-controlled domains to collect data and transmit payloads [2] [6] [7]. The JavaScript downloader activates two chains [1] [6] [7], one deploying AsyncRAT and the other installing BOINC under different names to avoid detection [7]. The misuse of BOINC for malicious purposes has caught the attention of project maintainers [6] [7], who are investigating ways to mitigate the malware [7]. Attacks involving the execution of additional files and scripts rather than common RATs have been observed [4], with the malware starting from a compromised website prompting a fake browser update [4], leading to the download of malicious code fetching additional malware [4]. The initial malicious JavaScript downloads a PowerShell script that bypasses AMSI and fetches the next stage loader from a DGA-generated domain [4]. The final payload is the AsyncRAT malware [4], which uses various techniques to detect virtualized environments and establish connections to its C2 server [4]. The malware also abuses BOINC software to create a C2 server and potentially steal information or execute further malware on infected hosts [4].
Conclusion
The SocGholish malware poses a significant threat to organizations and individuals, with its advanced techniques and multiple stages of infection. Mitigation efforts are underway, but the risk of network compromise remains high. Continued vigilance and the use of advanced detection and monitoring services are crucial to protect against cyberattacks. The misuse of BOINC for malicious purposes highlights the need for increased security measures and collaboration among project maintainers and cybersecurity experts to prevent future incidents.
References
[1] https://indoguardonline.com/2024/07/22/the-socgholish-malware-uses-the-boinc-project-for-stealthy-cyberattacks/
[2] https://thehackernews.com/2024/07/socgholish-malware-exploits-boinc.html
[3] https://foresiet.com/blog/socgholish-malware-exploits-boinc-project-for-covert-cyberattacks
[4] https://gbhackers.com/beware-fake-browser-updates-malicious-boinc/
[5] https://securityaffairs.com/166030/malware/socgholish-used-deliver-asyncrat.html
[6] https://www.redpacketsecurity.com/socgholish-malware-exploits-boinc-project-for-covert-cyberattacks/
[7] https://insights.havosoft.com/2024/07/22/socgholish-malware-exploits-boinc-project-for-covert-cyberattacks/
[8] https://cyberpress.org/dangerous-boinc-malware/