SocGholish Loader Infects BOINC with AsyncRAT Trojan
Experts from Huntress report that the malicious JavaScript loader SocGholish is being used to deliver the AsyncRAT trojan through the open-source computing project BOINC.
BOINC (Berkeley Open Infrastructure Network Computing Client) is an open platform for “volunteer computing,” supported by the University of California, Berkeley, to conduct high-performance computations for scientific projects using the home computers of volunteers who have installed the appropriate application. Essentially, BOINC is similar to a cryptocurrency miner— the platform utilizes computer resources for its operations and rewards users with Gridcoin, a cryptocurrency specifically developed for this purpose.
In the detected campaign, malicious BOINC installations are configured to connect to the attacker’s domains (rosettahome[.]cn and rosettahome[.]top), which serve as C2 servers for gathering host data, delivering payloads, and issuing further commands. As of July 15, 10,032 clients were connected to these two domains.
Although experts have not observed any subsequent activity on the infected hosts, it is suggested that these connections could be sold to other malicious actors, creating the potential for using the hosts as initial points for ransomware deployment.
A typical SocGholish attack sequence begins when users visit compromised websites, where they are prompted to download a fake browser update. Upon executing the “update,” the malware downloads additional components onto the infected machines.
In this case, the JavaScript loader activates two distinct chains: one leading to the installation of a fileless version of AsyncRAT, and the other to the installation of BOINC. The BOINC application masquerades as “SecurityHealthService.exe” or “trustedinstaller.exe” to avoid detection and maintain its presence through a scheduled task. The BOINC project has already noticed the misuse of its platform for malicious purposes and is actively investigating the issue. Cases of abuse have been recorded since June 26, 2024.
AsyncRAT possesses numerous capabilities, such as keylogging, audio/video recording, information theft, remote desktop control, password recovery, remote shell execution, payload delivery, and more.
Active connections of infected clients to malicious BOINC servers pose a significant risk. Malicious actors can use these connections to execute any commands or install malware, potentially leading to privilege escalation or network propagation and compromise of the entire domain.
