Lay summary:

FakeSG is a new type of malware that tricks people into installing it by pretending to be a fake browser update. Once installed, FakeSG can give hackers remote control of your computer, which they can use to steal your personal information or install other malware.

FakeSG is spread through compromised websites. When you visit a website that has been infected with FakeSG, you may be redirected to a fake browser update page. If you click on the update button, you will be tricked into installing FakeSG on your computer.

More technical summary:

• A new campaign called FakeSG has been discovered that uses compromised websites to trick users into running a fake browser update.
• The fake updates look very professional and are more up to date than those used in the SocGholish campaign.
• The threat actors are distributing NetSupport RAT either as a zipped download or via an Internet shortcut.
• The installation flow for FakeSG is different from that of SocGholish, and it uses different layers of obfuscation and delivery techniques.
• The NetSupport RAT files are hosted on the same compromised WordPress site used earlier to download the Internet shortcut.
• Following a successful infection, callbacks are made to the RAT’s command and control server.
• Fake browser updates are a common decoy used by malware authors, and FakeSG is the latest contender in this space.

Other details:

• The FakeSG campaign uses different browser templates depending on which browser the victim is running.
• The source code for the fake updates is loaded from one of several domains impersonating Google or Adobe.
• The installation flow for FakeSG can also involve downloading a malicious URL shortcut.
• The NetSupport RAT is a powerful remote access tool that can be used to gather information and perform additional actions on victims of interest.