SocGholish Malware Exploits BOINC Project for Covert Cyberattacks

Introduction

The SocGholish malware, also known as FakeUpdates, has resurfaced with new tactics that leverage the BOINC (Berkeley Open Infrastructure Network Computing Client) platform for nefarious purposes. This sophisticated JavaScript downloader malware is now delivering a remote access trojan, AsyncRAT, and utilizing BOINC in a covert cyberattack campaign. This blog will delve into the specifics of this exploit, the implications for cybersecurity, and measures to mitigate the risks.

How SocGholish Operates

SocGholish attacks typically begin when unsuspecting users visit compromised websites and are prompted to download a fake browser update. Upon execution, this update triggers the retrieval of additional malicious payloads. In the current attack chain, SocGholish activates two separate sequences: one deploying a fileless variant of AsyncRAT, and the other resulting in the installation of BOINC.

BOINC: A New Vector for Malware

BOINC, a legitimate open-source platform developed by the University of California for distributed high-throughput computing, has been co-opted by threat actors. This platform, typically used for volunteer computing projects and rewarding users with Gridcoin, is being exploited to connect infected systems to actor-controlled domains ("rosettahome[.]cn" or "rosettahome[.]top"). Unveiling SocGholish Malware: Exploiting BOINC for Covert Cyber Operations

The Impact and Potential Risks

As of July 15, 2024, over 10,000 clients are connected to the malicious domains. While no follow-on activities or executed tasks have been observed yet, the threat remains significant. The infected clients could be sold as initial access points to other cybercriminals, potentially leading to ransomware attacks or further malicious exploits. The SocGholish malware's ability to use BOINC by renaming it as "SecurityHealthService.exe" or "trustedinstaller.exe" and setting persistence through scheduled tasks via PowerShell scripts, poses a high risk for broader network compromise.

Response and Mitigation

BOINC project maintainers are actively investigating the issue to thwart this misuse. Evidence suggests this abuse has been ongoing since at least June 26, 2024. The intent behind deploying BOINC on infected hosts remains unclear, but the potential for escalated privileges and lateral movement within networks is a pressing concern.

Conclusion

The exploitation of BOINC by SocGholish malware highlights the evolving tactics of cybercriminals. Leveraging legitimate platforms for malicious purposes underscores the need for robust digital footprint analysis, compromised data tracking, and brand protection. Organizations must remain vigilant, employing advanced stolen credentials detection and darknet monitoring services to safeguard their digital assets.

By understanding and anticipating these threats, businesses can enhance their online risk evaluation and digital threat scoring capabilities, ultimately fortifying their defenses against sophisticated cyberattacks.

About Foresiet!

Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization's defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.