Researchers at Malwarebytes warn that a malvertising campaign is targeting Chinese-speaking users with phony ads for encrypted messaging apps. The ads impersonate apps that are restricted in China, such as Telegram or LINE.
“The threat actor is abusing Google advertiser accounts to create malicious ads and pointing them to pages where unsuspecting users will download Remote Administration Trojan (RATs) instead,” Malwarebytes says.
“Such programs give an attacker full control of a victim’s machine and the ability to drop additional malware. It may not be a coincidence that the malvertising campaigns are primarily focused on restricted or banned applications. While we don’t know the threat actor’s true intentions, data collection and spying may be one of their motives.”
The ads deliver a mix of new and old malware, including a strain of Gh0st RAT. Malwarebytes doesn’t attribute the campaign to any particular threat actor, but they note that the ads are targeting people who may be interested in bypassing China’s strict laws around encrypted messaging.
“Online ads are an effective way to reach a certain audience, and of course they can be misused as well,” the researchers write. “People (such as activists) that live in countries where encrypted communication tools are banned or restricted will attempt to bypass these measures. It appears that a threat actor is luring potential victims with such ads. The payloads are consistent with threats observed in the South Asia region, and we see similar techniques such as DLL side-loading that is quite popular with many RATs. This type of malware is ideal to gather information about someone and silently dropping additional components if and when necessary. We have notified Google regarding the malicious ads and have reported the supporting infrastructure to the relevant parties.”
KnowBe4 enables your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
Malwarebytes has the story.