26 C
Sunday, March 3, 2024
HomeCyber AttacksHackers Using Google Ads to Spread FatalRAT Malware

Hackers Using Google Ads to Spread FatalRAT Malware


Related stories

Remote Access Trojan (RAT): Their Types, Mitigation & Removal

Remote Access Trojan (RAT): Their Types, Mitigation & Removal Post...

Chinese Hackers Exploited Barracuda’s ESG Appliances

Chinese Hackers Exploited Barracuda's ESG Appliances Barracuda has revealed that...

China-Linked Budworm Targeting Middle Eastern Telco & Asian Government Agencies

China-Linked Budworm Targeting Middle Eastern Telco & Asian Government...

Most Important Cyber Security Tips 2023

Most Important Cyber Security Tips 2023 Important Cyber Security Security...

Every Business Owner 10 Essential Cybersecurity Facts Must Know

Every Business Owner 10 Essential Cybersecurity Facts Must Know In...

Hackers Using Google Ads to Spread FatalRAT Malware

Chinese-speaking individuals in Southeast and East Asia are the targets of a new rogue Google Ads campaign that delivers remote access trojans such as FatalRAT to compromised machines.

The attacks involve purchasing ad slots to appear in Google search results and direct users looking for popular applications to rogue websites hosting trojanized installers, ESET said in a report published today. The ads have since been taken down.

Some of the spoofed applications include Google Chrome, Mozilla Firefox, Telegram, WhatsApp, LINE, Signal, Skype, Electrum, Sogou Pinyin Method, Youdao, and WPS Office.

“The websites and installers downloaded from them are mostly in Chinese and in some cases falsely offer Chinese language versions of software that is not available in China,” the Slovak cybersecurity firm said, adding it observed the attacks between August 2022 and January 2023.

A majority of the victims are located in Taiwan, China, and Hong Kong, followed by Malaysia, Japan, the Philippines, Thailand, Singapore, Indonesia, and Myanmar. The attackers’ end goals are unclear as yet.

The most important aspect of the attacks is the creation of lookalike websites with typosquatted domains to propagate the malicious installer, which, in an attempt to keep up the ruse, installs the legitimate software, but also drops a loader that deploys FatalRAT.

In doing so, it grants the attacker complete control of the victimized computer, including executing arbitrary shell commands, running files, harvesting data from web browsers, and capturing keystrokes.

“The attackers have expended some effort regarding the domain names used for their websites, trying to be as similar to the official names as possible,” the researchers said. “The fake websites are, in most cases, identical copies of the legitimate sites.”

The findings arrive less than a year after Trend Micro disclosed a Purple Fox campaign that leveraged tainted software packages mimicking Adobe, Google Chrome, Telegram, and WhatsApp as an arrival vector to propagate FatalRAT.

“We couldn’t confirm if these two investigations are connected,” Matías Porolli, malware researcher at ESET, told The Hacker News. “While there are some similarities (use of FatalRAT, use of fake installers) we didn’t find similarities in the chain of components used to deliver the RAT or in the infrastructure used by the attackers.”

They also arrive amid a broader abuse of Google Ads to serve a wide range of malware, or alternatively, take users to credential phishing pages.

In a related development, Symantec, part of Broadcom Software, shed light on a “very small” and “targeted” malware campaign that leverages a previously undocumented .NET-based implant dubbed Frebniis. The attacks are estimated to be “less than a handful” and “very focused on Taiwan.”

“The technique used by Frebniis involves injecting malicious code into the memory of a DLL file (iisfreb.dll) related to an IIS feature used to troubleshoot and analyze failed web page requests,” Symantec said.

“This allows the malware to stealthily monitor all HTTP requests and recognize specially formatted HTTP requests sent by the attacker, allowing for remote code execution.”

The cybersecurity firm, which attributed the intrusions to an unidentified actor, said it’s currently not known how access to the Windows machine running the Internet Information Services (IIS) server was obtained.

Found this article interesting then comments or share in your circle.

For cyber security related free consultation click here

Technogeek Online
Technogeek Onlinehttps://technogeek.online
Technogeek Online mission is to be a digital for technical decision-makers to gain knowledge about transformative technology. We deliver essential information on cyber technologies and strategies to guide you as you lead your organizations. We are inviting you to become a member of our community.


- Never miss a story with notifications

- Gain full access to our premium content

- Browse free from up to 5 devices at once

Latest stories


Please enter your comment!
Please enter your name here