{"id":22500,"date":"2023-07-18T16:10:14","date_gmt":"2023-07-19T00:10:14","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2023\/07\/18\/news-16230\/"},"modified":"2023-07-18T16:10:14","modified_gmt":"2023-07-19T00:10:14","slug":"news-16230","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2023\/07\/18\/news-16230\/","title":{"rendered":"FakeSG enters the ‘FakeUpdates’ arena to deliver NetSupport RAT"},"content":{"rendered":"

Over 5 years ago, we began tracking a new campaign that we called FakeUpdates<\/a> (also known as SocGholish<\/a>) that used compromised websites to trick users into running a fake browser update. Instead, victims would end up infecting their computers with the NetSupport RAT, allowing threat actors to gain remote access and deliver additional payloads. As we have seen over the years, SocGholish is an established player that has managed to compromise countless victims and deliver ransomware after facilitating the installation<\/a> of tools like Cobalt Strike or Mimikatz.<\/p>\n

Now, there is a potential new competitor in the “fake updates” landscape that looks strangely familiar. The new campaign, which we call FakeSG, also relies on hacked WordPress websites to display a custom landing page mimicking the victim’s browser. The threat actors are distributing NetSupport RAT either as a zipped download or via an Internet shortcut. While FakeSG appears to be a newcomer, it uses different layers of obfuscation and delivery techniques that make it a threat to take seriously and which could rival potentially rival with SocGholish.  <\/p>\n

Campaign similarities<\/h2>\n

We first heard of this new campaign thanks to a Mastodon post<\/a> by Randy McEoin<\/a>. The tactics, techniques and procedures (TTPs) are very similar to those of SocGholish and it would be easy to think the two are related. In fact, this chain also leads to NetSupport RAT. However, the template source code is quite different and the payload delivery uses different infrastructure. As a result, we decided to call this variant FakeSG.<\/p>\n

\"Original<\/p>\n

Templates<\/h2>\n

FakeSG has different browser templates depending on which browser the victim is running. The themed “updates” look very professional and are more up to date than its SocGholish counterpart.<\/p>\n

\"Fake<\/p>\n

\"Fake<\/p>\n

\"Fake<\/p>\n

Website injections<\/h2>\n

Compromised websites (WordPress appears to be the top target) are injected with a code snippet that replaces the current webpage with the aforementioned fake updates templates. The source code is loaded from one of several domains impersonating Google (google-analytiks[.]com) or Adobe (updateadobeflash[.]website):<\/p>\n

\"Malicious<\/p>\n

That code contains all the web elements (images, fonts, text) needed to render the fake browser update page. We should note that SocGholish used to retrieve media files from separate web requests until more recently when it started using self-contained Base64 encoded images.<\/p>\n

\"Source<\/p>\n

Installation flow<\/h2>\n

There are different installation flows for this campaign, but we will focus on the one that uses a URL shortcut. The decoy installer (Install%20Updater%20(V104.25.151)-stable.url<\/em>) is an Internet shortcut downloaded from another compromised WordPress site.<\/p>\n

\"MaliciousThis shorcut uses the WebDav HTTP protocol extension to retrieve the file launcher-upd.hta<\/em> from a remote server:<\/p>\n

\"WebDav<\/p>\n

This heavily obfuscated script is responsible for the execution of PowerShell that downloads the final malware payload (NetSupport RAT).<\/p>\n

\"Source<\/p>\n

Malwarebytes’s EDR shows the full attack chain (please click to enlarge):<\/p>\n

\"Killchain<\/a><\/p>\n

The NetSupport RAT files are hosted on the same compromised WordPress site used earlier to download the Internet shortcut. The RAT’s main binary is launched from “C:Users%username%AppDataRoamingBranScaleclient32.exe<\/em>“.<\/p>\n

\"NetSupport<\/p>\n

Following a successful infection, callbacks are made to the RAT’s command and control server at 94.158.247[.]27.<\/p>\n

\"Web<\/p>\n

Roomates<\/h2>\n

Fake browser updates are a very common decoy used by malware authors. In addition to SocGholish, the Domen toolkit<\/a> was a well-built framework that emerged in 2019 while another campaign known as sczriptzzbn<\/a> dropped SolarMarker leading to the NetSupport RAT in both cases. Initial access brokers use tools like NetSupport RAT to gather information and perform additional actions on victims of interest. Stolen credentials can be resold to other threat actors tied to ransomware gangs.<\/p>\n

It is interesting to see another contender in this relatively small space. While there is a very large number of vulnerable websites, we already see some that have been injected with multiple different malicious code. From a visitor’s point of view, this means there could be more than one redirect but the “winner” will be the one who is able to execute their malicious JavaScript code first.<\/p>\n

We will continue to monitor these campaigns and in particular SocGholish to see if the web delivery landscape changes. Malwarebytes customers are protected as we detect the infrastructure and final payload used in these attacks.<\/p>\n

\"EDR<\/p>\n<\/p>\n

Indicators of Compromise (IOCs)<\/h2>\n

FakeSG infrastructure<\/strong><\/p>\n

178.159.37[.]73
google-analytiks[.]com
googletagmanagar[.]com
updateadobeflash[.]website<\/pre>\n
WebDav launcher<\/strong><\/p>\n
206[.]71[.]148[.]110
206[.]71[.]148[.]110\/Downloads\/launcher-upd[.]hta<\/pre>\n
NetSupport RAT<\/strong><\/p>\n
pietrangelo[.]it\/wp-content\/uploads\/2014\/04\/BranScale[.]zip
pietrangelo[.]it\/wp-content\/uploads\/2014\/04\/client32[.]exe<\/pre>\n
NetSupport RAT C2<\/strong><\/p>\n
94[.]158[.]247[.]27<\/pre>\n
MITRE ATT&CK techniques<\/h2>\n <\/p>\n\n\n\n\n<\/colgroup>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
 
Tactic<\/strong><\/td>\nID<\/strong><\/td>\nName<\/strong><\/td>\nDetails<\/strong><\/td>\n<\/tr>\n
Execution<\/td>\nT1059<\/a><\/td>\nCommand and Scripting Interpreter<\/td>\nPowershell used to download payload<\/td>\n<\/tr>\n
T1059.001<\/a><\/td>\nPowershell<\/td>\nStarts POWERSHELL.EXE for commands execution<\/td>\n<\/tr>\n
T1059.003<\/a><\/td>\nWindows Command Shell<\/td>\nStarts CMD.EXE for commands execution<\/td>\n<\/tr>\n
Privilege escalation<\/td>\nT1548<\/a><\/td>\nAbuse Elevation Control Mechanism<\/td>\nEncoded PowerShell<\/td>\n<\/tr>\n
T1548.002<\/a><\/td>\nBypass User Account Control<\/td>\n <\/td>\n<\/tr>\n
Defense evasion<\/td>\nT1564<\/a><\/td>\nHide Artifacts<\/td>\n Encoded PowerShell<\/td>\n<\/tr>\n
T1218<\/a><\/td>\nSystem Binary Proxy Execution<\/td>\n Drops CMSTP.inf in %temp%<\/td>\n<\/tr>\n
T1027<\/a><\/td>\nObfuscated Files or Information<\/td>\n Drops th5epzxc.cmdline in %temp%<\/td>\n<\/tr>\n
T1112<\/a><\/td>\nModify Registry<\/td>\nAdds key to registry: HKEY_CLASSES_ROOTCLSID{645FF040-5081-101B-9F08-00AA002F954E}shellopencommand \/f \/ve \/t REG_SZ \/d C:UsersadminAppDataRoamingBranScaleclient32.exe<\/td>\n<\/tr>\n
T1548<\/a><\/td>\nAbuse Elevation Control Mechanism<\/td>\n <\/td>\n<\/tr>\n
T1140<\/a><\/td>\nDeobfuscate\/Decode Files or Information<\/td>\n Encoded PowerShell<\/td>\n<\/tr>\n
Discovery<\/td>\nT1082<\/a><\/td>\nSystem Information Discovery<\/td>\nGets computer name<\/td>\n<\/tr>\n
C&C<\/td>\nT1071<\/a><\/td>\nApplication Layer Protocol<\/td>\nNetSupport RAT C2 communication<\/td>\n<\/tr>\n
T1571<\/a><\/td>\nNon-Standard Port<\/td>\nPort destination: 5051<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
\n
Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.<\/p>\n
TRY NOW<\/a><\/p>\n
https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"\n\n
\n
Categories: Threat Intelligence<\/a><\/p>\n
Tags: fakeupdates<\/p>\n
Tags: socgholish<\/p>\n
Tags: netsupport<\/p>\n
Tags: RAT<\/p>\n
A new campaign leveraging compromised WordPress sites emerges with another fake browser update.<\/p>\n\n\n
\n
(Read more…<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n
The post FakeSG enters the ‘FakeUpdates’ arena to deliver NetSupport RAT<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[18060,22815,1810,22816,12040],"class_list":["post-22500","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-fakeupdates","tag-netsupport","tag-rat","tag-socgholish","tag-threat-intelligence"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/22500","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=22500"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/22500\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=22500"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=22500"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=22500"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}