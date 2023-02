February 16, 2023 Ravie LakshmananAd Fraud / Malware

Chinese-speaking individuals in Southeast and East Asia are being targeted by a new malicious Google Ads campaign that delivers remote access Trojans such as FatalRAT to compromised machines.

The attack involved buying ad slots displayed in Google search results that directed users searching for popular applications to malicious websites hosting Trojanized installers. , ESET said in a report published today. The ad has since been removed.

Spoofed applications include Google Chrome, Mozilla Firefox, Telegram, WhatsApp, LINE, Signal, Skype, Electrum, Sogou Pinyin Method, Youdao, and WPS Office.

The Slovak cybersecurity firm added that it observed attacks between August 2022 and January 2023, adding that “the websites and installers downloaded from them were mostly in Chinese, and in some cases, It mistakenly provides a Chinese version of the software that cannot be used.”

Most of the victims are in Taiwan, China and Hong Kong, followed by Malaysia, Japan, Philippines, Thailand, Singapore, Indonesia and Myanmar.

The most important aspect of the attack is creating similar websites with typosquatted domains to spread the malicious installer. This installer not only installs legitimate software to keep the ruse going, but it also drops a loader that deploys FatalRAT.

Doing so allows the attacker complete control of the victim’s computer, including executing arbitrary shell commands, executing files, collecting data from web browsers, capturing keystrokes, and more.

“Attackers are trying to get as close to the official name as possible regarding the domain names used for their websites,” the researchers said. “The fake girlfriend’s website is almost always an identical copy of the legitimate site.”

The findings arrive less than a year after Trend Micro published a Purple Fox campaign leveraging a compromised software package mimicking Adobe, Google Chrome, Telegram, and WhatsApp to spread FatalRAT. .

Google Ads has also been used extensively, with Google Ads being used to deliver various malware and direct users to credential phishing pages.

In a related development, Symantec’s threat hunters team shed light on another malware campaign targeting entities in Taiwan using a previously undocumented .NET-based implant called Frebniis. .

“The technique Frebniis uses involves injecting malicious code into the memory of a DLL file (iisfreb.dll) related to IIS features used to troubleshoot and analyze failed web page requests. said Symantec.

“This allows the malware to covertly monitor all HTTP requests, recognize specially formatted HTTP requests sent by attackers, and execute code remotely.”

The cybersecurity firm, which it believes to be an intrusion by an unidentified actor, says it is currently unclear how it gained access to a Windows machine running an Internet Information Services (IIS) server. increase.

