Hackers spread FatalRAT malware to Chinese-speaking victims using fake Google Ads

Posted on February 17, 2023 at 10:11 AM

Hackers spread FatalRAT malware to Chinese-speaking victims using fake Google Ads

Hackers have targeted Chinese-speaking victims situated in Southeast and East Asia. The group is being targeted by hackers employing a malicious Google Ad campaign. This campaign deploys remote access trojans like FataRAT to compromise the targeted machines.

Hackers spread FatalRAT malware using Google Ads

The attacks involve buying ad slots appearing on Google search results and directing users to malicious sites. The targeted users usually look for some of the most popular applications, but the hackers hijack their search results to direct them to fake sites.

The fake websites created by hackers contain trojanized installers. ESET released a report confirming that the malicious ads have since been removed from the search results. Some applications that the hackers spoofed include Google Chrome, WhatsApp, Telegram, Mozilla Firefox, Signal, Skype, LINE, Electrum, WPS Office, Youdao, and Sogou Pinyin Method.

The Slovak cybersecurity company released a report saying that the installers downloaded from these applications were mainly written in the Chinese language and even offered a Chinese language version of software that was not already in the market.

“The websites and installers downloaded from them are mostly in Chinese and in some cases falsely offer Chinese language versions of software that is not available in China,” the report said. The firm also added that it had observed the activity of these hackers between August 2022 and January 2023.

Most victims targeted by this hacking group are based in China, Hong Kong, and Taiwan. Over victims are in Indonesia, Japan, Malaysia, Myanmar, Singapore, the Philippines, and Thailand. The researchers are yet to determine the objective of the hackers.

One of the notable features of this exploit is that the attacker created lookalike websites with typosquatted domains. The attacker used these domains to deploy the malicious installer, allowing them access to the targeted machine. The hacker also took measures to lower the possibility of being detected by installing legitimate software. However, they later drop a loader that will deploy the FatalRAT malware.

By doing this, the attacker obtains full control over the victim’s machine. However, they do not execute arbitrary shell commands or run files on the targeted device. They later harvest data from various platforms, including web browsers, while also capturing keystrokes made by the victim on their device.

The researchers also noted that the hackers had taken time to ensure that the domains they used on their malicious websites were as close as possible to the names of the original websites. They noted that the malicious websites were usually identical copies of legitimate sites.

This report comes less than one year after Trend Micro revealed a Purple Fox campaign that depended on tainted software packages that mimicked some of the most popular applications such as Adobe, Google Chrome, Telegram, and WhatsApp as the initial vector that would deploy the FatalRAT malware.

One of ESET researchers, Matías Porolli, said, “We couldn’t confirm if these two investigations are connected. While there are some similarities (use of FatalRAT, use of fake installers), we didn’t find similarities in the chain of components used to deliver the RAT or in the infrastructure used by the attackers.”

The hacking campaign comes at a time when there has been widespread abuse of Google Ads. These ads are being used to deliver malware and access the credential phishing pages of users.

Hacking campaigns in Asia intensify

The report by ESET comes at a time when cybersecurity companies are shedding light on the increase in cybersecurity attacks targeting Asia. Symantec recently shared information about “very small” and “targeted” malware campaigns that took advantage of a .NET-based implant known as Frebniis that has not previously been documented.

According to the report, these hacking campaigns are a few targeted toward Taiwan. In the report, Symantec said that the hacking strategy that Frebniis was using involved deploying malicious code in the memory of a DLL file related to an IIS feature. The file is used to troubleshoot and analyze any failed web requests.

Symantec said that the hackers used this strategy to keep the malware undetected as it monitors HTTP requests and recognizes any HTTP requests that had been specially formatted. The company also said that the attacker behind the exploit was yet to be identified. It remains unknown how they obtained access to the Windows machine controlling Internet Information Services (IIS) server.

Hackers spread FatalRAT malware to Chinese-speaking victims using fake Google Ads
Article Name
Hackers spread FatalRAT malware to Chinese-speaking victims using fake Google Ads
Hackers have been targeting Chinese-speaking victims using fake Google Ads. The hackers are targeting victims using the FatalRAT malware. The identity of the hackers has yet to be determined.
Publisher Name
Publisher Logo

Share this:

Related Stories:


Get the latest stories straight
into your inbox!


Discover more from KoDDoS Blog

Subscribe now to keep reading and get access to the full archive.

Continue reading