Attackers Use a Poisoned Google Search to Target Chinese-speaking Individuals

Share:
A new nefarious campaign has been discovered that promotes malicious websites and fake installers by using tainted Google Search results. FatalRAT is primarily targeting Chinese people in East and Southeast Asia. The IOCs of the threat activities did not correspond to any previously identified threat group.
According to telemetry data collected by ESET researchers, the campaign began in May 2022 and lasted until January 2023. The most targeted victims were found in China, Hong Kong, and Taiwan, with attacks also occurring in Thailand, Singapore, Indonesia, the Philippines, Japan, Malaysia, and Myanmar. Attackers promoted their rogue websites hosting trojanized installers via Google paid advertisements. These advertisements have now been removed.
To host the malicious websites, attackers enrolled several equivalents to legitimate typosquatting domains (such as telegraem[.]org) from (telegram[.]org). These bogus domains host websites that look exactly like the real ones, and they all point to the same IP address. This IP address is associated with a server that hosts multiple fake websites and tainted installers, as well as actual installers and the FatalRAT loader.
Since Chinese language versions of genuine software applications are not available in China, the websites and installers are disguised. Telegram, LINE, WhatsApp, Signal, Skype, Google Chrome, Mozilla Firefox, WPS Office, Electrum, Sogou Pinyin Method, and Youda are among the spoof apps.
The tainted installers were hosted on an Alibaba Cloud Object Storage Service, which isolated them from the server where websites are hosted. Advanced Installer is used to create and digitally sign the installers, which are MSI files.
When run, these installers would drop and execute a genuine installer, a malicious loader, an updater, and, eventually, the FatalRAT payload. When infected, the malware gives the attacker complete control of the victimized device, allowing them to remotely execute commands, harvest data from web browsers, run files, and capture keystrokes.
According to researchers, the tactics used in this attack are not highly sophisticated; however, attackers have made several attempts to make it appear to be one by using paid Google ads, fake domain names, and tainted installers carrying genuine software. When clicking on links promoted as advertisements, users must be mindful and perform multiple mental checks.

 

(c) cysecurity.news

Leave a Comment

Your email address will not be published. Required fields are marked *

loader-image
Austria, AT
10:07 pm, Dec 27, 2024
weather icon 1°C
L: 1° H: 1°
scattered clouds
Humidity 82 %
Pressure 1035 mb
Wind 6 mph SSE
Wind Gust Wind Gust: 5 mph
UV Index UV Index: 0
Precipitation Precipitation: 0 mm
Clouds Clouds: 46%
Rain Chance Rain Chance: 0%
Visibility Visibility: 10 km
Sunrise Sunrise: 7:53 am
Sunset Sunset: 4:22 pm
DailyHourly
Daily ForecastHourly Forecast
Scroll to Top