Chinese-speaking individuals in Southeast and East Asia are being targeted by a new malicious Google Ads campaign that delivers remote access Trojans such as FatalRAT to compromised machines.
The attack involved buying ad slots displayed in Google search results that directed users searching for popular applications to malicious websites hosting Trojanized installers. , ESET said in a report published today. The ad has since been removed.
Spoofed applications include Google Chrome, Mozilla Firefox, Telegram, WhatsApp, LINE, Signal, Skype, Electrum, Sogou Pinyin Method, Youdao, and WPS Office.
The Slovak cybersecurity firm added that it observed attacks between August 2022 and January 2023, adding that “the websites and installers downloaded from them were mostly in Chinese, and in some cases, It mistakenly provides a Chinese version of the software that cannot be used.”
Most of the victims are in Taiwan, China and Hong Kong, followed by Malaysia, Japan, Philippines, Thailand, Singapore, Indonesia and Myanmar.
The most important aspect of the attack is creating similar websites with typosquatted domains to spread the malicious installer. This installer not only installs legitimate software to keep the ruse going, but it also drops a loader that deploys FatalRAT.
This gives the attacker complete control over the victim’s computer, including executing arbitrary shell commands, executing files, collecting data from web browsers, and capturing keystrokes.
“Attackers are trying to be as authentic as possible with regards to the domain names used for their websites,” the researchers said. “The fake girlfriend website is almost always an identical copy of the legitimate site.”
The findings come less than a year after Trend Micro published a Purple Fox campaign with tainted software packages that utilized Adobe, Google Chrome, Telegram, and WhatsApp as reach vectors to spread FatalRAT. It arrived at my house.
Google Ads has also been used extensively, with Google Ads being used to deliver a variety of malware and direct users to credential phishing pages.
In a related development, Symantec’s threat hunters team shed light on another malware campaign targeting entities in Taiwan using a previously undocumented .NET-based implant called Frebniis. .
“The technique Frebniis uses involves injecting malicious code into the memory of a DLL file (iisfreb.dll) related to IIS features used to troubleshoot and analyze failed web page requests. said Symantec.
“This allows the malware to covertly monitor all HTTP requests, recognize specially formatted HTTP requests sent by attackers, and execute code remotely.”
Believing the intrusion was by an unknown attacker, the cybersecurity firm said it is currently unclear how it gained access to a Windows machine running an Internet Information Services (IIS) server. increase.
