HQ/EMEAFind out how we can help your business
Researchers discovered a new RAT called FakeSG that could be a potential competitor for the SocGholish operation. Based on reports, the threat campaign leverages NetSupport RAT, allowing the threat actors to acquire remote access and deliver additional payloads onto an infected victim’s system.
FakeSG RAT exploits compromised WordPress websites to execute their attacks and deceive its targets.
According to investigations, the newly discovered FakeSG RAT operation heavily relies on infected WordPress websites to display a custom landing page that impersonates their target’s browser.
Moreover, the attackers inject a code snippet that replaces the current webpage with fake update templates in the hacked websites. The attack process will then load the code from one of the several domains that impersonate Adobe, GTM, and Google. These spoofed domains also include web elements like images, fonts, and text needed to deceive a user.
NetSupport RAT will then run in the background while the victim executes a fake page that poses a browser update. In addition, the campaign uses either internet shortcuts or ZIP archives to download the payload.
The tactics, techniques, and procedures leveraged by FakeSG are identical to SocGholish. One of the samples of these TTPs includes the deployment of NetSupport RAT in the final stage of its attacks.
FakeSG RAT also utilises hacked websites and template source code to compromise its targets. However, FakeSG’s template source code appears more elegant and updated than SocGholish’s.
FakeSG depends on fake browser updates to execute attacks and infect users. The emergence of this operation raises concerns for many users and threat analysts despite the existence of SocGholish for five years. Researchers explained that users should improve the protection of websites since 50% of sites are susceptible to these kinds of attacks. Experts also noted that attackers could easily leverage vulnerable websites as an attack source to deploy malicious code and infect victims.
Organisations and users should leverage available IOCs to better understand the current cybercriminal operation since researchers still understand the new FakeSG campaign. Researchers suggest that users patch vulnerabilities in WordPress websites to mitigate or prevent such attacks.
