Malicious ads on Google target Chinese users with fake messaging apps

Malicious Ads on Google

Chinese-speaking users have been targeted by malicious Google ads for restricted messaging apps like Telegram as part of an ongoing malvertising campaign.

“The threat actor abuses Google advertiser accounts to create malicious advertisements and redirect them to pages where unsuspecting users will download Remote Administration Trojan (RATs) instead,” says Jérôme Segura of Malwarebytes. said in a Thursday report. “Such programs give an attacker complete control over a victim’s machine and the ability to plant additional malware.”

It is worth noting that the activity is codenamed FakeAPPis a continuation of an earlier wave of attacks that targeted Hong Kong users searching for messaging apps such as WhatsApp and Telegram on search engines in late October 2023.

The latest version of the campaign also adds the messaging app LINE to the list of messaging apps, which redirects users to fake websites hosted on Google Docs or Google Sites.

Google’s infrastructure is used to embed links to other sites under the control of the threat actor, thus delivering the malicious installation files that ultimately deploy trojans such as PlugX and Gh0st RAT.

Malwarebytes said it traced the fraudulent ads to two named advertiser accounts Interactive Communications Team Limited And Ringier Media Nigeria Limited based in Nigeria.

“It also appears that the threat actor is choosing quantity over quality by continually pushing new payloads and command-and-control infrastructure,” Segura said.

The development comes as Trustwave SpiderLabs revealed a spike in the use of a phishing-as-a-service (PhaaS) platform called Greatness to create legitimate-looking credential collection pages targeting Microsoft 365 users .

Malicious ads on Google

“The kit allows you to personalize sender names, email addresses, subjects, messages, attachments and QR codes, increasing relevance and engagement,” the company says. saidadding that it comes with anti-detection measures such as header randomization, encryption and obfuscation, intended to bypass spam filters and security systems.

Greatness is offered for sale to other criminal actors for $120 per month, effectively lowering the barrier to entry and helping them launch attacks on a large scale.

Attack chains involve sending phishing emails with malicious HTML attachments that, when opened by recipients, direct them to a fake login page that captures the credentials entered and exfiltrates the details to the threat actor via Telegram.

Other infection sequences have used the attachments to plant malware on the victim’s machine to facilitate information theft.

To increase the attack’s chance of success, the emails spoof trusted sources such as banks and employers and create a false sense of urgency with topics such as “urgent bill payments” or “urgent account verification required.”

“The number of victims is unknown at this time, but Greatness is widely used and well supported, with its own Telegram community providing information on how to operate the kit, along with additional tips and tricks,” Trustwave said.

Malicious ads on Google

Phishing attacks have also been observed targeting South Korean companies using decoys posing as tech companies like Kakao to distribute AsyncRAT via malicious Windows shortcut (LNK) files.

“Malicious shortcut files disguised as legitimate documents are constantly being distributed,” according to the AhnLab Security Intelligence Center (ASEC) said. “Users may mistake the shortcut file for a normal document because the ‘.LNK’ extension is not visible in the file names.”

#Malicious #ads #Google #target #Chinese #users #fake #messaging #apps

Notify of
Inline Feedbacks
View all comments
Previous Post
AllaKore RAT Malware

AllaKore RAT malware targets Mexican companies with financial fraud schemes

Next Post

A critical flaw in Cisco allows hackers to remotely take over Unified Comms systems

Related Posts