ESET researchers have discovered a malware campaign that targets Chinese-speaking people in Southeast and East Asia. The campaign involves advertisements that appear in Google search results.
 |
| Source: ESET. A fake web page for the download of Google Chrome, in Chinese. |
According to ESET the unidentified cybercriminals buy ads that lead to fake websites made to look identical to the download pages of popular applications such as Firefox, WhatsApp, Signal, Skype, and Telegram. Such apps are usually not available in China.
In addition to providing the legitimate software, the websites also deliver FatalRAT, a remote access Trojan that grants the attacker control of the victim's computer. The attacks have affected users mostly in mainland China, Hong Kong, and Taiwan, but also in Southeast Asia: Malaysia, the Philippines, Thailand, Singapore, Indonesia and Myanmar, as well as in Japan.
FatalRAT provides a set of functionalities to perform various malicious activities on a victim’s computer, ESET said. Among other capabilities, the malware can capture keystrokes, steal or delete data stored by some browsers, and download and execute files. ESET Research observed these attacks between August 2022 and January 2023, but according to the company's telemetry, previous versions of the installers have been used since at least May 2022.
The cybercriminals have registered various domain names that all pointed to the same IP address: a server hosting multiple websites that download Trojanised software. Most of these websites look identical to their legitimate counterparts but deliver malicious installers instead. The other websites, possibly translated by the attackers, offer Chinese-language versions of software that is not available in China, such as Telegram.
In theory, there are many possible ways that potential victims can be directed to these fake websites, but a Chinese-language news site reported that they were being shown an advertisement that led to one of these malicious websites when searching for the Firefox browser in Google. The attackers purchased advertisements to position their malicious websites in the "sponsored" section of Google search results; ESET reported these ads to Google and they were promptly removed.
“Although we couldn’t reproduce such search results, we believe that the ads were only served to users in the targeted region,” said MatÃas Porolli, the ESET researcher who discovered the campaign.
“Since many of the domain names that the attackers registered for their websites are very similar to the legitimate domains, it is also possible that the attackers rely on URL hijacking to attract potential victims to their websites,” he adds. URL hijacking refers to deceiving people who mistype a URL by creating a web page that looks like it is linked to the actual URL, and conducting malicious activities on it.
“It is possible that the attackers are solely interested in the theft of information like web credentials to sell them on underground forums, or to use them for another type of crimeware campaign, but for now, specific attribution of this campaign to a known or new threat actor is not possible,” elaborated Porolli.
“Finally, it is important to check the URL that we are visiting before we download software. Even better, type it into your browser’s address bar after checking that it is the actual vendor site.”
Explore
Read the blog post These aren’t the apps you’re looking for: Fake installers targeting Southeast and East Asia on WeLiveSecurity.
