SocGholish, also known as FakeUpdates, is a JavaScript-based downloader malware. It’s currently being employed to distribute two distinct payloads: a remote access trojan called AsyncRAT and a legitimate open-source application named BOINC.
BOINC, which stands for Berkeley Open Infrastructure Network Computing Client, is an open-source project managed by the University of California. It’s designed for “volunteer computing,” aiming to perform extensive distributed high-throughput computations by utilizing the processing power of home computers where the application is installed.
The malicious software installations are configured to connect to specific domains controlled by the attackers (“rosettahome[.]cn” or “rosettahome[.]top”). These domains function as command-and-control (C2) servers, gathering data from infected hosts, delivering payloads, and issuing further instructions. As of July 15, these domains were connected to 10,032 clients.
While the cybersecurity firm hasn’t detected any subsequent activities or commands executed on the infected systems, they speculate that these compromised host connections might be marketed as initial access points for other cybercriminals, potentially facilitating ransomware attacks.
Typical SocGholish attacks begin when users visit compromised websites. Here, they’re prompted to download a fraudulent browser update. When executed, this update initiates the download of additional malicious payloads to the compromised machines.
In this instance, the JavaScript downloader activates two separate processes. One leads to the installation of a fileless version of AsyncRAT, while the other results in the deployment of BOINC.
The BOINC app, disguised as “SecurityHealthService.exe” or “trustedinstaller.exe”, establishes persistence via a scheduled task using PowerShell. Project maintainers are aware of this misuse and are seeking solutions. The abuse dates back to at least June 26, 2024.
The attacker’s motives remain unclear. However, infected clients connecting to malicious BOINC servers pose significant risks, potentially allowing threat actors to execute malicious commands, escalate privileges, or spread laterally through networks.
