Chinese-speaking people in Southeast and East Asia are being targeted by a new rogue Google Ads campaign that delivers remote access trojans like FatalRAT to compromised machines.
The attacks involve buying advertising space to appear in Google search results and redirecting users looking for popular applications to rogue websites that host trojanized installers, ESET said in a report published today. The ads have since been removed.
Some of the fake applications include Google Chrome, Mozilla Firefox, Telegram, WhatsApp, LINE, Signal, Skype, Electrum, Sogou Pinyin Method, Youdao and WPS Office.
“The websites and the installers downloaded from them are mostly in Chinese and in some cases falsely offer Chinese language versions of software that are not available in China,” the Slovak cybersecurity firm said, adding that it observed the attacks between August 2022 and January 2023.
A majority of victims are located in Taiwan, China and Hong Kong, followed by Malaysia, Japan, the Philippines, Thailand, Singapore, Indonesia and Myanmar. The attackers’ ultimate goal is currently unclear.
The most important aspect of the attacks is the creation of similar websites with misspelled domains to spread the malicious installer, which, in an attempt to stay on the list, installs the legitimate software but also drops a loader that distributes FatalRAT.
By doing so, it gives the attacker full control over the victim’s computer, including executing arbitrary shell commands, executing files, retrieving data from web browsers, and capturing keystrokes.
“The attackers have put some effort into the domain names used on their websites, trying to be as similar to the official names as possible,” the researchers said. “The fake websites are in most cases identical copies of the legitimate websites.”
The findings come less than a year after Trend Micro revealed a Purple Fox campaign that leveraged tainted software packages impersonating Adobe, Google Chrome, Telegram and WhatsApp as an arrival vector to spread FatalRAT.
“We could not confirm whether these two investigations are connected,” Matías Porolli, a malware researcher at ESET, told The Hacker News. “Although there are some similarities (use of FatalRAT, use of fake installers), we did not find similarities in the chain of components used to deliver the RAT or in the infrastructure used by the attackers.”
They also arrive amid a wider misuse of Google Ads to deliver a wide range of malware, or alternatively take users to credential phishing sites.
In a related development, Symantec, part of Broadcom Software, has shed light on a “very small” and “targeted” malware campaign that exploits a previously undocumented .NET-based implant called Frebniis. The attacks are estimated to be “less than a handful” and “heavily focused on Taiwan”.
Discover the hidden dangers of third-party SaaS apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize your risk.
RESERVE YOUR SEAT
“The technique used by Frebniis involves injecting malicious code into the memory of a DLL file (iisfreb.dll) related to an IIS function used to debug and analyze failed web page requests,” Symantec said.
“This allows the malware to monitor all HTTP requests and recognize specially formatted HTTP requests sent by the attacker, enabling remote code execution.”
The cybersecurity firm, which attributed the intrusions to an unidentified actor, said it is not yet known how access to the Windows machine running the Internet Information Services (IIS) server was gained.