Threat actors deliver NetSupport RAT through a new campaign called Fake SG which could rival with SocGholish.
This campaign utilizes hacked WordPress websites to display a custom landing page mimicking the victim’s browser to deliver payloads to compromise victims.
According to Malwarebytes lab, these types of campaigns have been active since 2019, and Fake SG is a newbie to the arsenal.
One of the campaigns, called “FakeUpdates” (also called “SocGholish”), tricked people into running a fake browser update by hacking their websites.
Fake Update Page Mimicking Victim’s Browser
SocGholish is a well-known player who has hacked a lot of people and sent spyware to them after helping them install tools like Cobalt Strike and Mimikatz.
Initially, the threat actors took control of the compromised websites, mostly targeting WordPress and injecting the code snippet to show fake update templates.
FakeSG has different browser templates depending on which browser the victim is running.
The themed “updates” look very professional and are more up-to-date than its SocGholish counterpart.
The threat actors load source code of many domains like google-analytiks[.]com and updateadobeflash[.]website, pretending to be Google and Adobe, respectively.
That source file has all the graphics, fonts, and text that will be used to display the fake browser update page in order to look legit.
SocGholish has just switched to utilizing self-contained Base64 encoded images, but previously it relied on external web queries to retrieve media files.
This campaign follows different ways to install the RAT malware on the compromised device. One of the techniques used is URL shortcuts.
It utilizes the decoy installer (Install%20Updater%20(V104.25.151)-stable. URL), an Internet shortcut downloaded from another compromised WordPress site.
This shortcut downloads the file launcher-up.hta from a remote server using the WebDav extension to the HTTP protocol.
This complexly encrypted script launches PowerShell to download the actual malware NetSupport RAT.
Once NetSupport RAT is successfully installed, it will connect with the C2 server to extract the information.
Source: https://cybersecuritynews.com/fake-update-page-netsupport-rat/
