The JavaScript downloader malware known as SocGholish (aka FakeUpdates) has been used to deliver a remote access trojan called AsyncRAT, as well as a legitimate open source project called BOINC.
BOINC stands for Berkeley Open Infrastructure Network Computing Client, and is an open-source “volunteer computing” platform managed by the University of California that aims to perform “large-scale distributed high-throughput computing” using participating home computers that have the app installed.
“In that respect (using computational resources to perform work), it is similar to a cryptocurrency miner, and is actually designed to reward users with a specific type of cryptocurrency called Gridcoin that is designed for this purpose,” Huntress researchers Matt Anderson, Alden Schmidt and Greg Linares said in a report published last week.
These malicious installations are designed to connect to attacker-controlled domains (“rosettahome(.)cn” or “rosettahome(.)top”), essentially acting as a command and control (C2) server to collect host data, send payloads, and push further commands. As of July 15, there are 10,032 clients connected to the two domains.
The cybersecurity firm said that while it has not observed any subsequent activity or tasks performed by the infected hosts, it hypothesizes that “the host connections may be sold as an initial access vector and used by other attackers to execute ransomware.”
The SocGholish attack sequence typically begins when a user visits a compromised website where they are prompted to download a fake browser update, which, when executed, triggers the retrieval of additional payloads onto the compromised machine.
In this case, the JavaScript downloader activates two separate chains: one that leads to the deployment of a fileless variant of AsyncRAT, and the other that leads to the installation of BOINC.
The BOINC app, which has been renamed to “SecurityHealthService.exe” or “trustedinstaller.exe” to evade detection, establishes persistence using a scheduled task via a PowerShell script.
The malicious use of BOINC has come to the attention of the project maintainers, who are currently investigating the issue and finding a way to “defeat the malware.” Evidence of the exploit dates back to at least June 26, 2024.
“At this time, the motives and intent of the threat actors in loading this software onto infected hosts are unclear,” the researchers said.
“Once an infected client actively connects to a malicious BOINC server, it poses a very high risk, as a motivated threat actor could exploit this connection to execute any number of malicious commands or software on the host to further escalate privileges or move laterally through the network to compromise an entire domain.”
The development comes after Check Point announced that it is tracking the use of compiled V8 JavaScript by malware authors to evade static detection and hide remote access trojans, stealers, loaders, cryptocurrency miners, wipers and ransomware.
“In the ongoing battle between security experts and threat actors, malware developers are constantly coming up with new tricks to hide their attacks,” said security researcher Moshe Mareras. “It’s not surprising that they’ve started using V8, as the technology is widely used to create software, given that it’s both widespread and very difficult to analyze.”
