Threat actors have been leveraging the SocGholish downloader malware, also known as FakeUpdates, to facilitate the delivery of the AsyncRAT trojan and a malicious version of the Berkeley Open Infrastructure Network Computing Client, a volunteer computing platform maintained by the University of California, reports Security Affairs.
Installation of AsyncRAT and BOINC occurs at the last part of the multi-stage attack, with the latter facilitating system information exfiltration after establishing a connection with a remote server, an analysis from Huntress revealed. "These malicious installations of BOINC come configured to connect not to one of the legitimate BOINC servers but instead to a look-a-like server such as Rosettahome[.]top. From a malicious server, host data can be collected, files can be transferred, and any number of tasks can be sent down to the hosts and executed. So basically it can operate as a C2," said researchers. Such an issue has already been alerted to BOINC project admins.
