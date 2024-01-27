A malvertising campaign targeting Chinese-speaking users has been identified, with malicious Google ads promoting fake messaging apps. Malwarebytes’ Jérôme Segura reported that threat actors are exploiting Google advertiser accounts to create these harmful ads, leading users to download Remote Administration Trojans (RATs). These malicious programs grant attackers full control over victims’ machines, allowing them to deploy additional malware.

Named FakeAPP, this campaign is a continuation of a previous attack wave that focused on Hong Kong users searching for messaging apps in late October 2023. The recent phase of the campaign now includes the messaging app LINE, redirecting users to fake websites hosted on Google Docs or Google Sites.

Malicious Ads on Google Target Chinese Users with Fake Messaging Apps

See Also: Apple Fixes Urgent Zero-Day Flaw with iOS 17.3 Update

The Google infrastructure is manipulated to embed links to other sites controlled by the threat actor, facilitating the delivery of malicious installer files. These files lead to the deployment of trojans such as PlugX and Gh0st RAT.

Malwarebytes traced the fraudulent ads to two advertiser accounts, Interactive Communication Team Limited and Ringier Media Nigeria Limited, both based in Nigeria. Segura noted that the threat actor prioritizes quantity over quality, consistently introducing new payloads and infrastructure as part of their command-and-control strategy.

In a related development, Trustwave SpiderLabs reported an increase in the use of a phishing-as-a-service (PhaaS) platform called Greatness. This platform creates legitimate-looking credential harvesting pages that specifically target Microsoft 365 users. Greatness allows for the personalization of various elements, enhancing the phishing attack’s relevance and engagement. It comes equipped with anti-detection measures to bypass spam filters and security systems. Sold for $120 per month, Greatness makes phishing attacks more accessible, enabling criminals to conduct large-scale attacks.

The phishing attack involves sending emails with malicious HTML attachments that redirect recipients to fake login pages. It then captures login credentials and sends them to threat actors via Telegram. The attack messages often impersonate trusted sources like banks or employers, creating a false sense of urgency with subjects like “urgent invoice payments” or “urgent account verification required.”

Meanwhile, phishing attacks are also targeting South Korean companies, using lures that impersonate tech companies like Kakao. Moreover, these attacks distribute AsyncRAT through malicious Windows shortcut (LNK) files. The malicious shortcut files, disguised as legitimate documents, can deceive users as the ‘.LNK’ extension is not visible in the file names.

Check Also: Google Unveils Gemini Integration: A Deep Dive into the Power of Conversational Experience in Ads