Fake Chrome Update Campaigns Deploying NetSupport RAT

Overview of the Fake Update Campaign

A persistent threat campaign continues to target users by leveraging compromised websites to display deceptive browser update notifications. According to SANS ISC, these campaigns typically utilize a framework often referred to as ‘ClearFake,’ which injects malicious JavaScript into legitimate web pages. When a user visits an infected site, the script evaluates the visitor’s environment and, if specific criteria are met, displays a high-quality overlay claiming that the user’s browser is out of date.

This Phishing technique is particularly effective because it bypasses traditional email filters by using reputable, compromised domains as the delivery vehicle. The primary objective is to convince the user to manually download and execute a file—often named ‘Chrome_Update.zip’ or similar—which serves as the initial infection vector for the NetSupport RAT (Remote Access Tool).

Analysis of NetSupport RAT Delivery via Compromised Sites

The technical execution of this campaign relies on multiple layers of obfuscation to evade detection by EDR and other security telemetry. Once the malicious JavaScript is triggered, it frequently communicates with a C2 server to fetch the specific overlay parameters. The overlay is designed to mirror the actual UI of Google Chrome or Microsoft Edge, making it difficult for non-technical users to distinguish from a legitimate system notification.

Upon clicking the ‘Update’ button, a ZIP archive is downloaded to the victim’s machine. Inside this archive, attackers often include a heavily obfuscated loader or a legitimate-looking installer. In recent observations, this loader eventually drops the NetSupport RAT. While NetSupport is a legitimate remote administration tool, it is frequently co-opted by threat actors to maintain persistence, exfiltrate data, and perform Lateral Movement within a compromised network. Understanding how to detect fake chrome update malware requires a multi-faceted approach, focusing not just on the file itself, but on the anomalous network behavior associated with the initial JavaScript injection and the subsequent unauthorized remote access traffic.

NetSupport RAT Persistence and Capability

Once installed, the RAT establishes persistence via registry keys or scheduled tasks. It allows the attacker to monitor the screen, transfer files, and execute arbitrary commands. Because the software used is a legitimate tool, many antivirus solutions may struggle to flag it as inherently malicious unless its specific configuration files or IoC signatures are known. This emphasizes the need for a robust SOC to monitor for the execution of administrative tools in contexts where they are not officially supported or deployed by the IT department.

Identifying NetSupport RAT Delivery via Compromised Sites

Detection efforts should focus on both the delivery mechanism and the payload behavior. Security teams can look for the following indicators:

• JavaScript Anomalies: Monitor for large blocks of Base64 encoded or heavily obfuscated JavaScript appearing in web traffic from common CMS platforms like WordPress.
• Unexpected Downloads: Log and alert on the download of ZIP or EXE files from non-official domains that use ‘Chrome’ or ‘Update’ in the filename.
• Binary Execution: Use application whitelisting or EDR policies to block the execution of NetSupport (client32.exe) unless it is part of a verified administrative toolset.

Detection and Mitigation Recommendations

To defend against this TTP as defined by the MITRE ATT&CK framework, organizations must adopt a layered defense strategy. The following actions are recommended for immediate implementation:

1. Browser Security Policies: Enforce browser-level controls that prevent the execution of unauthorized scripts and use reputation-based filtering to block known malicious domains associated with ClearFake campaigns.
2. Endpoint Monitoring: Configure your SIEM to alert on the creation of new scheduled tasks or registry run keys that point to uncommon directories like %AppData% or %Temp%.
3. User Education: Instruct users that legitimate browser updates are handled through the browser’s internal settings menu or the operating system’s update manager, and will never be delivered as a manual download from a third-party website.

While the delivery methods for these threats continue to evolve, the core reliance on user interaction remains a constant. By combining technical controls with heightened user awareness, organizations can significantly reduce the success rate of these fake update campaigns.