Chinese-Speaking Individuals in Southeast and East Asia Targeted by Google Ads Campaign Distributing FatalRAT Malware Disguised as Popular Application

A new cyber attack campaign targets Chinese-speaking individuals in Southeast and East Asia through Google Ads to deliver remote access trojans like FatalRAT to vulnerable machines. The attackers have been purchasing ad slots to appear in Google search results, which direct users searching for popular applications to websites hosting trojanized installers. This campaign was active between August 2022 and January 2023 and has since been taken down.

The Slovak cybersecurity firm, ESET, discovered that some of the applications being spoofed include popular apps such as Google Chrome, Mozilla Firefox, Telegram, WhatsApp, LINE, Signal, Skype, Electrum, Sogou Pinyin Method, Youdao, and WPS Office. These rogue websites and their installers are mostly in Chinese and falsely offer Chinese language versions of software that are not available in China.

The most notable aspect of the attacks is the creation of lookalike websites with typosquatting domains to propagate the malicious installer. The malware is disguised as legitimate software but also drops a loader that deploys FatalRAT, granting the attacker complete control of the compromised machine. This includes executing arbitrary shell commands, running files, harvesting data from web browsers, and capturing keystrokes. The researchers noted that the attackers have put in some effort in the domain names used for their websites to be as similar to the official names as possible. The fake websites are, in most cases, identical copies of legitimate sites.

The victims of the attack are primarily located in Taiwan, China, and Hong Kong, followed by Malaysia, Japan, the Philippines, Thailand, Singapore, Indonesia, and Myanmar. These findings are disclosed less than a year after a similar campaign that leveraged tainted software packages Adobe, Google Chrome, Telegram, and WhatsApp as an arrival vector to propagate FatalRAT.

In a related development, Symantec's Threat Hunter Team disclosed another malware campaign targeting entities in Taiwan with an undocumented. NET-based implant called Frebniis. The malware injects malicious code into the memory of a DLL file related to an IIS feature that is used to troubleshoot and analyze failed web page requests. The technique allows the malware to stealthily monitor all HTTP requests and recognize specially formatted HTTP requests sent by the attacker, allowing for remote code execution. The cyber security firm, which attributed the intrusion to an unknown actor, stated that it is currently not known how access to the Windows machine running the Internet Information Services (IIS) server was obtained.

Thank you for reading our blog today. We hope you found the information helpful and informative. If you enjoyed this blog, be sure to follow us on Twitter, Instagram, Linkedin, GitHub, Website, and Youtube for more exciting content and updates. If you have any questions or comments, please feel free to reach out to us. We would love to hear from you. Don't forget to share this with your friends and family who may also find this information useful. Thank you for your support and stay tuned for more!