Fake installers are tricking victims into installing malware

Chinese targets hit with fake Telegram installers

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Hackers have once again been found abusingGoogleAds to delivermalware- this time, hitting Chinese-speaking targets living in Southeast and East Asia.

Cybersecurity experts at ESET found that unidentified threat actors created multiple malicious landing pages, all impersonating major programs, including some that are unavailable in China, including Firefox,WhatsApp, Signal, Skype, and Telegram.

The landing pages are all hosted on the same server, which also hosts the programs. But when downloading the payload, the victims would get both the legitimate software, and FatalRAT, a remote access trojan that allows the threat actors control over the target endpoint.

FatalRAT

FatalRAT is capable of doing all sorts of nasty things - logging keystrokes, stealing data stored in the browsers, and downloading and running additional programs. The researchers said that this version of the trojan has been in use at least since August 2022, but older versions were in use even earlier - in May.

To distribute the malware, the attackers abused Google Ads, meaning that when someone searches for any of the abovementioned programs on the famed search engine, they would get the malicious landing pages very high up in the search results pages.

This dangerous malware affects nearly all devices, and somehow remained undetected until now>This sneaky new Go malware is causing havoc everywhere it goes>Here are the best ID theft protection solutions around

Researchers couldn’t reproduce the search results but claim that the hackers were probably engaged in URL hijacking:

“Although we couldn’t reproduce such search results, we believe that the ads were only served to users in the targeted region,” said ESET researcher Matías Porolli. “Since many of the domain names that the attackers registered for their websites are very similar to the legitimate domains, it is also possible that the attackers rely on URL hijacking to attract potential victims to their websites,” he added.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

The hackers’ endgame is unknown, too, researchers said, speculating that they could just be after credentials, in order to sell them for profit.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Washington state court systems taken offline following cyberattack

Is it still worth using Proton VPN Free?

MacBook Air OLED reportedly delayed until at least 2028 – here’s why