Those who speak Chinese in Southeast and East Asia are the focus of a recent fraudulent Google Adwords campaign that infects targeted computers with remote access trojans like FatalRAT.
According to a research released today by ESET, the assaults involve paying for ad spots to show up in Google search results that point people looking for popular software to dubious websites holding trojanized installers. The advertisements have subsequently been removed.
Google Chrome, Mozilla Firefox, Telegram, WhatsApp, LINE, Signal, Skype, Electrum, Sogou Pinyin Method, Youdao, and WPS Office are a some of the spoofing software programs.
The Slovak cybersecurity firm added that it has detected the attacks between August 2022 and January 2023. “The websites and installers downloaded from them are predominantly in Chinese and in some cases erroneously advertise Chinese language versions of software that are not accessible in China,” it stated.
Taiwan, China, and Hong Kong have the highest concentration of victims, followed by Malaysia, Japan, the Philippines, Thailand, Singapore, Indonesia, and Myanmar.
The development of lookalike websites with typosquatted names to spread the malicious installer—which, in an effort to maintain the masquerade, installs the legitimate software but also drops a loader that launches FatalRAT—is the most significant part of the attacks.
By doing this, it gives the attacker total control over the affected machine, enabling them to launch files, run arbitrary shell commands, gather data from web browsers, and record keystrokes.
WATCH: HOW HACKERS CREATE RATS
The researchers noted that the attackers had made an effort to use domain names for their websites that were as close to the official names as possible. “In most cases, the bogus websites are exact replicas of the real websites.”
The discoveries come less than a year after Trend Micro revealed a Purple Fox operation that used contaminated software packages to spread FatalRAT by impersonating Adobe, Google Chrome, Telegram, and WhatsApp.
They also appear in the midst of a larger exploitation of Google AdWords to distribute a variety of viruses or, alternatively, direct users to pages that steal their credentials.
In a related development, Symantec’s Threat Hunter Team revealed another malware campaign that uses the previously unidentified Frebniis.NET-based implant to target Taiwanese companies.
According to Symantec, the Frebniis method entails injecting malicious code into the memory of a DLL file (iisfreb.dll) linked to an IIS function designed to diagnose and analyse unsuccessful web page requests.