Those who speak Chinese in Southeast and East Asia are the focus of a recent fraudulent Google Adwords campaign that infects targeted computers with remote access trojans like FatalRAT.
According to a research released today by ESET, the assaults involve paying for ad spots to show up in Google search results that point people looking for popular software to dubious websites holding trojanized installers. The advertisements have subsequently been removed.
Google Chrome, Mozilla Firefox, Telegram, WhatsApp, LINE, Signal, Skype, Electrum, Sogou Pinyin Method, Youdao, and WPS Office are a some of the spoofing software programs.
The Slovak cybersecurity firm added that it has detected the attacks between August 2022 and January 2023. “The websites and installers downloaded from them are predominantly in Chinese and in some cases erroneously advertise Chinese language versions of software that are not accessible in China,” it stated.
The construction of lookalike websites with typosquatted names to spread the malicious installer—which, in an effort to maintain the masquerade, installs the legitimate software but also drops a loader that launches FatalRAT—is the most significant part of the attacks.
Taiwan, China, and Hong Kong have the highest concentration of victims, followed by Malaysia, Japan, the Philippines, Thailand, Singapore, Indonesia, and Myanmar.
By doing this, it gives the attacker total control over the affected machine, enabling them to launch files, run arbitrary shell commands, gather data from web browsers, and record keystrokes.
The researchers noted that the attackers had made an effort to use domain names for their websites that were as close to the official names as possible. “In most cases, the bogus websites are exact replicas of the real websites.”
Less than a year ago, Trend Micro revealed a Purple Fox operation that used contaminated versions of Adobe, Google Chrome, Telegram, and WhatsApp as a vector for spreading FatalRAT. They also appear in the midst of a larger exploitation of Google AdWords to distribute a variety of viruses or, alternatively, direct users to pages that steal their credentials.
In a related development, Symantec’s Threat Hunter Team revealed another malware campaign that uses the previously unidentified Frebniis.NET-based implant to target Taiwanese companies. The Frebniis method entails injecting malicious code into the memory of a DLL file (iisfreb.dll) linked to an IIS function designed to diagnose and analyze unsuccessful web page requests.
This enables remote code execution by enabling the malware to covertly monitor all HTTP requests and identify specially structured HTTP requests provided by the attacker. Who blamed an unidentified perpetrator for the intrusion, it is presently unknown how access to the Windows PC operating the Internet Information Services (IIS) server came about.