ESET researchers discovered a malware campaign that targets Chinese-speaking people in Southeast and East Asia by buying misleading advertisements to appear in Google search results that lead to downloading Trojanized installers. The unknown attackers created fake websites that look identical to those of popular applications such as Firefox, WhatsApp, Signal, Skype, and Telegram, but in addition to providing the legitimate software, also deliver FatalRAT, a remote access Trojan that grants the attacker control of the victimized computer. The attacks affected users mostly in mainland China, Hong Kong, and Taiwan, but also in Southeast Asia and Japan.
FatalRAT provides a set of functionalities to perform various malicious activities on a victim’s computer. Among other capabilities, the malware can capture keystrokes, steal or delete data stored by some browsers, and download and execute files. ESET Research observed these attacks between August 2022 and January 2023, but according to our telemetry, previous versions of the installers have been used since at least May 2022.
The attackers registered various domain names that all pointed to the same IP address: a server hosting multiple websites that download Trojanized software. Most of these websites look identical to their legitimate counterparts but deliver malicious installers instead. The other websites, possibly translated by the attackers, offer Chinese-language versions of software that is not available in China, such as Telegram. While, in theory, there are many possible ways that potential victims can be directed to these fake websites, a Chinese-language news site reported that they were being shown an advertisement that led to one of these malicious websites when searching for the Firefox browser in Google. The attackers purchased advertisements to position their malicious websites in the “sponsored” section of Google search results; we reported these ads to Google and they were promptly removed.
“Although we couldn’t reproduce such search results, we believe that the ads were only served to users in the targeted region,” explains Matías Porolli, the ESET researcher who discovered the campaign. “Since many of the domain names that the attackers registered for their websites are very similar to the legitimate domains, it is also possible that the attackers rely on URL hijacking to attract potential victims to their websites,” he adds.
“It is possible that the attackers are solely interested in the theft of information like web credentials to sell them on underground forums, or to use them for another type of crimeware campaign, but for now, specific attribution of this campaign to a known or new threat actor is not possible,” elaborates Porolli.
“Finally, it is important to check the URL that we are visiting before we download software. Even better, type it into your browser’s address bar after checking that it is the actual vendor site,” advises Porolli.