Since July 4, 2024, SocGholish (FakeUpdates) has shown new behavior. The infection chain starts with a compromised website prompting a fake browser update. Downloading the update triggers malicious code that retrieves additional malware.
All about the malware
Recent attacks differ from previous ones by executing additional files and scripts, rather than just installing common RATs.
The initial malicious JavaScript downloads a PowerShell script that bypasses AMSI and retrieves the next stage loader from a DGA domain.
The second stage decodes, decrypts, and decompresses a third-stage PowerShell script using Base64, a hardcoded XOR key, and Gzip compression, which can be analyzed in CyberChef to reveal the final AsyncRAT payload.
In Stage 3, AsyncRAT detects virtual environments by checking for specific strings like “VMware” or “VirtualBox” and assigning scores. A higher score suggests a virtual machine, and this score is sent via a cURL request with a DGA-generated domain. If the score meets the threshold on the C2 server, the final AsyncRAT payload is delivered.
A malicious PowerShell script posing as a BOINC installation uses cURL to download a file, creates a random directory, downloads and extracts a ZIP archive, renames a file (likely BOINC.exe) to contain malware, and sets up a scheduled task to run it.
To evade detection, the script deletes itself and creates a registry entry with a misspelled key name (“ExpirienceHost”) as a possible infection marker.
SocGholish malware misuses BOINC to set up a C2 server via a fake client that connects to a malicious server. This could lead to information theft, file transfers, or additional malware deployment.
AsyncRAT infection was found by analyzing scheduled tasks with malicious PowerShell commands disguised as log file names and run by a headless Conhost process.
This establishes AsyncRAT persistence, maintains C2 server connections, and involves tasks linked to a BOINC client, possibly used for cryptocurrency mining or other purposes.Huntress notes that this attack closely mirrors SocGholish methods, using fake browser updates for initial access and obfuscated PowerShell for AsyncRAT deployment.
IOCs
| IP | Domain | Usage |
|---|---|---|
| 64.7.199[.]144 | rosetta[.]top | Malicious BOINC Server |
| 104.238.34[.]204 | rosetta[.]top | Malicious BOINC Server |
| 104.200.73[.]68 | rosetta[.]cn | Malicious BOINC Server |
| 216.245.184[.]105 | rzegzwre[.]top | C2 Server |
| 64.94.84[.]200 | klmnnilmahlkcje[.]top | C2 Server |
| 5.161.214[.]209 | ga1yo3wu78v48hh[.]top | C2 Server |
| File | Hash |
|---|---|
| (Renamed BOINC.exe) Securityhealthservice.exe, Trustedinstaller.exe, Gupdate.exe, ghost.exe, .exe | 91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3 |
| update.js | 4716011ca9325480069bffeb2bbe0629fec6e5f69746f2e47f0a6894f2858c0b |
| update.js | 380bd5f097b8501618cf8b312d68e97b3220c31172f82973fce3084157caa15e |
| Disable-NetAdapterPacketDirect.log | c5bfe4ddcf576b432f4e6ccce10dd3d219ee5f54497e0cc903671783924414a6 |
| Get-PhysicalExtentAssociation_QoS.log | 01a8aeb0b350a1325c86c69722affd410ff886881a405743e1adb23538eff119 |
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment