A new malicious campaign has been detected leveraging poisoned Google Search results to promote malicious websites and fake installers. It is primarily targeting Chinese individuals in East and Southeast Asia with FatalRAT. The IOCs of the threat activities did not match with any already identified threat group.
What has been detected?
Telemetry data collected by ESET researchers suggest that the campaign started in May 2022 and was active until January 2023.
- China, Hong Kong, and Taiwan have the highest number of targeted victims, while attacks were observed in Thailand, Singapore, Indonesia, the Philippines, Japan, Malaysia, and Myanmar.
- Attackers used paid advertisements on Google to promote their rogue websites hosting trojanized installers. These ads have been taken down now.
Spoofing by typosquatting
To host the rogue websites, attackers registered several fake typosquatted domains (such as telegraem[.]org) that are similar to genuine ones (telegram[.]org).
- These fake domains host lookalike websites as the real application and all of them point to the same IP address. This IP belongs to a server hosting multiple fake websites and tainted installers, carrying actual installers as well as the FatalRAT loader.
- The websites and installers are camouflaged as the Chinese language versions of genuine software applications are not available in China.
- The spoofed applications include Telegram, LINE, WhatsApp, Signal, Skype, Google Chrome, Mozilla Firefox, WPS Office, Electrum, Sogou Pinyin Method, and Youdao.
The installers and the payload
The attackers hosted the tainted installers on an Alibaba Cloud Object Storage Service, isolating it from the server where websites are hosted.
- The installers are MSI files that are created and digitally signed via Advanced Installer.
- When executed, these installers would drop and execute multiple components, including a genuine installer, a malicious loader, an updater, and eventually the FatalRAT payload.
- Upon infection, the malware provides the attacker with complete control of the victimized device and enables them to execute commands remotely, harvest data from web browsers, run files, and capture keystrokes.
Concluding note
The tactics used in this attack are not highly sophisticated as per researchers, however, attackers have made several attempts to make it look like one by using paid Google ads, fake domain names, and tainted installers carrying genuine software. Users need to be conscious and diligently perform multiple mental checks while clicking on links promoted as ads.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/596c_shutterstock_1936992973.jpeg)
/https://cyware-ent.s3.amazonaws.com/image_bank/2512_shutterstock_2010566354.jpg)
