If You Speak Chinese, You Are a Target
- By CDOTrends editors
- February 21, 2023
Malicious actors have long used fake installers to infect users’ computers with malware. From malicious software that cryptographically locks users’ files to malicious browser extensions, fake installers are a significant source of cybercrime.
Recently, ESET researchers have discovered a malicious campaign targeting Chinese-speaking people in Southeast and East Asia, including China, Hong Kong, Taiwan, Malaysia, Japan, the Philippines, Thailand, Singapore, Indonesia and Myanmar.
By buying misleading advertisements on Google search results, attackers have led unsuspecting victims to download Trojanized installers of popular applications such as Firefox, WhatsApp, Signal, Skype, and Telegram.
They purchased advertisements to position their malicious websites in the "sponsored" section of Google search results. Using various domain names, they pointed all the domains to a server hosting multiple malicious websites.
These websites were designed to look identical to the legitimate versions but delivered malicious installers instead. Victims were shown links to these malicious websites when they searched for applications not available in Chinese.
“Although we couldn’t reproduce such search results, we believe the ads were only served to users in the targeted region. Since many of the domain names that the attackers registered for their websites are very similar to the legitimate domains, it is also possible that the attackers rely on URL hijacking to attract potential victims to their websites,” said Matías Porolli, the ESET researcher who discovered the campaign.
Attackers were able to use these malicious installers to deploy the FatalRAT, a remote access Trojan that can provide a range of functionalities and perform several malicious activities on victims’ computers.
FatalRAT can capture keystrokes, steal or delete data stored by browsers, and download and execute files. ESET Research observed these attacks between August 2022 and January 2023, but according to its telemetry, previous versions of the installers have been used since at least May 2022.
ESET researchers have also reported FatalRAT to Google, who promptly removed the offending advertisements.
“It is possible that the attackers are solely interested in the theft of information like web credentials to sell them on underground forums or to use them for another type of crimeware campaign, but for now, specific attribution of this campaign to a known or new threat actor is not possible,” he elaborated.
Porolli advised users to be extra vigilant when downloading software from the internet, particularly from third-party sources. He said it is essential to check the URL they are visiting before downloading the software. “Even better, type it into your browser’s address bar after checking that it is the actual vendor site,” he said.
Image credit: iStockphoto/ShadeON