Hackers Using Google Ads to Spread FatalRAT Malware Disguised as Popular Apps

Feb 16, 2023Ravie LakshmananAd Fraud / Malware

Chinese-speaking individuals in Southeast and East Asia are the
targets of a new rogue Google Ads campaign that delivers remote
access trojans such as FatalRAT to compromised machines.

The attacks involve purchasing ad slots to appear in Google
search results that direct users searching for popular applications
to rogue websites hosting trojanized installers, ESET said in a
report published today. The ads have since been taken down.

Some of the spoofed applications include Google Chrome, Mozilla
Firefox, Telegram, WhatsApp, LINE, Signal, Skype, Electrum, Sogou
Pinyin Method, Youdao, and WPS Office.

“The websites and installers downloaded from them are mostly in
Chinese and in some cases falsely offer Chinese language versions
of software that is not available in China,” the Slovak
cybersecurity firm said^[1], adding it observed the
attacks between August 2022 and January 2023.

A majority of the victims are located in Taiwan, China, and Hong
Kong, followed by Malaysia, Japan, the Philippines, Thailand,
Singapore, Indonesia, and Myanmar.

The most important aspect of the attacks is the creation of
lookalike websites with typosquatted domains to propagate the
malicious installer, which, in an attempt to keep up the ruse,
installs the legitimate software, but also drops a loader that
deploys FatalRAT.

In doing so, it grants the attacker complete control of the
victimized computer, including executing arbitrary shell commands,
running files, harvesting data from web browsers, and capturing
keystrokes.

“The attackers have expended some effort regarding the domain
names used for their websites, trying to be as similar to the
official names as possible,” the researchers said. “The fake
websites are, in most cases, identical copies of the legitimate
sites.”

The findings arrive less than a year after Trend Micro disclosed^[2]
a Purple Fox campaign that leveraged tainted software packages
mimicking Adobe, Google Chrome, Telegram, and WhatsApp as an
arrival vector to propagate FatalRAT.

They also arrive amid a broader abuse of Google Ads^[3] to serve a wide range of
malware, or alternatively, take users to credential phishing
pages.

In a related development, Symantec’s Threat Hunter Team shed
light on another malware campaign that targets entities in Taiwan
with a previously undocumented .NET-based implant dubbed
Frebniis.

“The technique used by Frebniis involves injecting malicious
code into the memory of a DLL file (iisfreb.dll) related to an IIS
feature used to troubleshoot and analyze failed web page requests,”
Symantec said^[4].

“This allows the malware to stealthily monitor all HTTP requests
and recognize specially formatted HTTP requests sent by the
attacker, allowing for remote code execution.”

The cybersecurity firm, which attributed the intrusion to an
unidentified actor, said it’s currently not known how access to the
Windows machine running the Internet Information Services (IIS^[5]) server was
obtained.