Some Chinese-speaking users have been targeted from Google ads malware for limited messaging apps like Telegram, as part of an ongoing malvertising campaign.
What is this Malvertising campaign targeting Chinese-speaking users?
“The cyber criminal [che] is abusing Google advertiser accounts to create malicious ads [malvertising] and direct them to pages where unsuspecting users will download Remote Administration Trojans (RATs) for them“, has declared Malwarebytes' Jérôme Segura in a report published Thursday. “These programs give the attacker complete control of the victim's machine and the ability to deposit additional malware.”
It is important to note that the activity of malvertising, called FakeAPPis a continuation of a previous attack which targeted Hong Kong users searching for messaging apps like WhatsApp and Telegram on search engines in late October 2023.
The latest iteration of the campaign also adds the LINE messaging app to the list of messaging apps, redirecting users to fake websites hosted on Google Docs or Google Sites.
Google's infrastructure is used to embed links to other sites under the control of cyber criminals in order to deliver malicious installation files that eventually distribute trojans like PlugX And Gh0st RAT.
Malwarebytes has, among other things, also tracked the fraudulent ads to two called ad accounts Interactive Communication Team Limited And Ringier Media Nigeria Limited based in Nigeria.
“It would also appear that the cybercriminal favors quantity over quality by constantly pushing new loads and infrastructures such as command and control“Segura said.
The development comes as Trustwave SpiderLabs revealed an increase in the use of a phishing platform as a service (PhaaS) called Greatness to create credential harvesting pages that appear legitimate and target Microsoft 365 users.
“The kit allows you to customize sender names, email addresses, subjects, messages, attachments and QR codes, improving relevance and interaction“, has declared the company, adding that it comes with anti-detection measures such as headers randomization, encryption and obfuscation aimed at evading spam filters and security systems.
Greatness is offered for sale to other criminal actors for $120 per month, effectively lowering the barrier to entry and helping them conduct large-scale attacks.
Attack chains involve sending phishing emails with malicious HTML attachments that, when opened by recipients, directs them to a fake login page that captures the entered credentials and extrudes the details to the cybercriminal (or unknown cybercriminals) via Telegram; meanwhile, other infection sequences exploited the attachments to deposit malware on the victim's machine in order to facilitate the theft of information.
To increase the probability of success of the attack, e-mail messages they spoof reliable sources such as banks and employers and induce a false sense of urgency by using subject lines such as “urgent bill payments” or “urgent account verification”.
“The number of victims is currently unknown, but Greatness is widely used and supported, with its own community on Telegram that provides information on how to use the kit, along with additional tips and tricks“said Trustwave.
They also saw each other, among other things phishing attacks against South Korean companies posing as technology companies such as Kakao to distribute AsyncRAT via Windows link (LNK) files, who oriented themselves towards malicious sites, favoring the campaign malvertising.
“Malicious shortcut files disguised as legitimate documents are distributed all the time“said the AhnLab Security Intelligence Center (ASEC). “Users may confuse the shortcut file with a regular document, as the '.LNK' extension is not visible in the file names“.
Unfortunately we must always be on our guard against these threats, so long as the technique of misleading links is at least as old as the internet.
#Malvertising #malware #advertising #campaign #China