Threat Research

Fake Browser Updates Lead to BOINC Volunteer Computing Software | Huntress

Securonix

Researchers observe new activity linked to SocGholish/FakeUpdates, including a BOINC-based persistence vector alongside classic fileless AsyncRAT deployments. Infections begin when users visit compromised sites that deliver fake browser updates, leading to C2 communications and potential lateral movement. #SocGholish #BOINC

Keypoints

  • Infections start when a user visits a compromised site, triggering a fake browser update prompt that delivers malware.
  • Two infection chains emerge: a fileless AsyncRAT variant and a BOINC installer, with final payloads hosted on rzegzwre.top and related domains.
  • Stage 1 PowerShell loaders are heavily obfuscated, with Stage 2 decrypting and decompressing Stage 3 using XOR keys.
  • The final payloads contact C2 servers using DGAs, notably ga1yo3wu78v48hh.top, with related infrastructure appearing to resemble prior AsyncRAT activity.
  • BOINC is installed and configured to connect to malicious BOINC servers (RosettaHome.top, rosettahome.cn), using renamed executables and scheduled tasks, creating potential C2 channels.
  • Defensive opportunities include detecting BOINC installations, suspicious PowerShell activity, headless conhost usage, and unusual scheduled tasks or renamed executables.

MITRE Techniques

  • [T1059] Command and Scripting Interpreter – PowerShell used to download payload. “PowerShell loaders are all heavily obfuscated, with most strings being stored as character arrays that are later reassembled.”
  • [T1059.001] PowerShell – Executed powershell scripts and commands. “Stage 2: This portion of the chain is responsible for decoding, decrypting, and decompressing Stage 3 of the PowerShell loader.”
  • [T1059.003] Windows Command Shell – Used headless conhost.exe to launch BOINC. “In this infection, … we observed the use of conhost.exe with the –headless parameter to execute PowerShell commands.”
  • [T1053.005] Scheduled Task – Created Scheduled Tasks to execute the Async RAT payload and to execute BOINC software.
  • [T1027] Obfuscated Files or Information – Used obfuscated javascript file. “The PowerShell loaders are heavily obfuscated…”
  • [T1027.010] Command Obfuscation – Obfuscated PowerShell commands. “Stage 2 decodes, XOR with key bj3rtga4myi5, then decompresses…”
  • [T1112] Modify Registry – Added a registry value. “The registry key created here is just a simple Value containing only the number ‘1’.”
  • [T1036.004] Masquerading: Masquerade Task or Service – Masqueraded as Mozilla/Google-related tasks. “Masquerading as Mozilla and Google-related tasks.”
  • [T1070.004] File Removal – Removed zip file that was downloaded with PowerShell. “File Removal” referenced in the observables.
  • [T1553] Subvert Trust Controls – Used legitimate software with a valid signature (BOINC). “Subvert Trust Controls” described as BOINC usage.
  • [T1082] System Information Discovery – Ran command to discover members of the local administrators group. “Discovery Command: Ran command to discover members of the local administrators group.”
  • [T1071.001] Application Layer Protocol: Web Protocols – Async RAT C2 communication; BOINC software communication to server. “Async RAT C2 communication” and “BOINC software communication to server.”
  • [T1105] Ingress Tool Transfer – Download BOINC Software. “Tool Ingress” described as downloading BOINC software.

Indicators of Compromise

  • [Network Indicators] IP – 216.245.184.105, 104.238.34.204 – C2 Server / Malicious BOINC Server
  • [Network Indicators] Domain – ga1yo3wu78v48hh.top, rosettahome.top, rosetta.top – C2 and Malicious BOINC Servers
  • [Network Indicators] Domain – rosettahome.cn – Malicious BOINC Server
  • [File Indicators] BOINC-related executables renamed (e.g., SecurityHealthService.exe, TrustedInstaller.exe, Gupdate.exe) – Hash 91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3
  • [File Indicators] update.js – Hashes 4716011ca9325480069bffeb2bbe0629fec6e5f69746f2e47f0a6894f2858c0b, 380bd5f097b8501618cf8b312d68e97b3220c31172f82973fce3084157caa15e
  • [File Indicators] Disable-NetAdapterPacketDirect.log – Hash c5bfe4ddcf576b432f4e6ccce10dd3d219ee5f54497e0cc903671783924414a6
  • [File Indicators] Get-PhysicalExtentAssociation_QoS.log – Hash 01a8aeb0b350a1325c86c69722affd410ff886881a405743e1adb23538eff119

Read more: https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint