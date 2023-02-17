Chinese-speaking hackers who they operate in Southeast and East Asia they are the protagonists of a new malicious campaign that leverages Google Ads to deliver remote access trojans, such as FatalRAT, to compromised machines.

Ad attacks involve purchasing ad space to display in Google search results that direct users looking for popular applications to rogue websites hosting trojan installers, ESET said in a report released today: luckily the malicious ads have since been removed.

Of course, it is not the first time that fake applications have been used that imitate the real ones.

How does this hack campaign that exploits Google Ads advertisements work?

Some of the fake applications include Google Chrome, Mozilla Firefox, Telegram, WhatsApp, LINE, Signal, Skype, Electrum, Sogou Pinyin Method, Youdao and WPS Office.

“Downloaded websites and installers [dalle pubblicità] they are mostly in Chinese and in some cases falsely offer Chinese-language versions of software that are not available in China“, has stated the Slovak cybersecurity firm, adding that it monitored the attacks between August 2022 and January 2023.

Most of the victims are in Taiwan, China and Hong Kong, followed by Malaysia, Japan, the Philippines, Thailand, Singapore, Indonesia and Myanmar.

The most important aspect of the attacks is the creation of similar websites with typosquat domains to propagate the malicious installer, which, in an attempt to maintain the ploy, installs the legitimate software, but also releases a loader that distributes FatalRAT.

Google Ads, by doing so, becomes a conduit for these malicious characters: thus granting hackers complete control of the victim’s computer, including executing malicious shell commands, executing files, harvesting data from web browsers and capturing keystrokes.

“The attackers have made some efforts regarding the domain names used for their websites, trying to be as similar as possible to the official names“, said the researchers. “Fake websites are, in most cases, identical copies of legitimate sites“.

The findings come less than a year after Trend Micro has revealed a Purple Fox campaign that exploited contaminated software packages that mimic Adobe, Google Chrome, Telegram and WhatsApp as an arrival vector to propagate FatalRAT.

It should be added that Google Ads was used not only for this campaign, but also for put around a wide range of malware or, alternatively, lead users to credential phishing pages.

In a related study, Symantec’s Threat Hunter Team shed light on another malware campaign targeting entities in Taiwan with a previously undocumented .NET-based implant called Frebniis.

“The technique used by Frebniis involves injecting malicious code into the memory of a DLL file (iisfreb.dll) related to an IIS feature used to troubleshoot and analyze failed web page requests“, has declared Symantec.

Symantec then added: “This allows the malware to stealthily monitor all HTTP requests and recognize specially formatted HTTP requests sent by the attacker, allowing remote code execution“.

The computer security firm, which attributed the intrusion to an unknown, unidentified perpetrator, said it was currently unknown how access was gained to the Windows machine running the Internet Information Services server (IIS extension).

This is why AdBlockers are important

Unfortunately, the adblocker is not a tool that only serves to eliminate annoying ads: it also serves to defend against these attacks, since it is a moment to accidentally click on an advertisement specially placed in a deceptive place.