Malwarebytes researchers have uncovered a potential competitor of Fake Updates (SocGholish) in the wild named FakeSG. The attack campaign pushes NetSupport RAT, allowing threat actors to gain remote access and deliver additional payloads onto victims’ systems.

What do you need to know about FakeSG?

FakeSG relies on compromised WordPress sites to display a custom landing page mimicking the victim’s browser.
  • These hacked websites are injected with a code snippet that replaces the current webpage with fake update templates.
  • The code is loaded from one of the several domains impersonating Google, Adobe, or GTM and contains all the web elements such as images, fonts, and text needed to render the fake browser update page.
  • While the victim is tricked into executing a fake page as a browser update, NetSupport RAT is deployed in the background. 
  • The campaign utilizes either internet shortcuts or ZIP files to download the malicious payload.

Overlaps with SocGholish

The TTPs of FakeSG are very similar to SocGholish, including the deployment of NetSupport RAT in the final stage.
  • Similar to SocGholish, FakeSG uses hacked websites and template source code to infect users. 
  • However, this template source code looks more elegant and up-to-date than SocGholish. 
  • Further, it was found that the delivery of the payload used a different infrastructure.  

Why this matters?

FakeSG relies on fake browser updates to infect users. While FakeUpdates has been there in the threat landscape for over five years, the emergence of a new contender raises concern and an urgent need to protect websites. With around 50% of sites vulnerable to attacks, attackers can easily use them as an attack source to inject malicious code and target victims.

Conclusion

As researchers continue to monitor the FakeSG campaign, organizations can leverage IOCs and the MITRE ATT&CK framework to get a better insight into the current attack campaign. Additionally, it is recommended to patch any vulnerabilities in your WordPress website/s to thwart such attacks.
Cyware Publisher

Publisher

Cyware