Fake installers for popular apps targeting Southeast and East Asia with dangerous Trojan, ESET Research discovers
Created: 2023-02-20 06:18:48
- ESET researchers discovered a malware campaign that targets Chinese-speaking people in Southeast and East Asia.
- The attackers purchased advertisements to position their malicious websites in the "sponsored" section of Google search results. ESET reported these ads to Google and they were promptly removed.
- The websites and installers downloaded from them are mostly in Chinese and, in some cases, falsely offer Chinese-language versions of software that is not available in China.
- We observed victims mostly in Southeast and East Asia, suggesting that the advertisements were targeting that region.
- The malware delivered by this campaign is FatalRAT, a remote access Trojan that provides a set of functionalities to perform various malicious activities on a victim’s computer.
BRATISLAVA, MONTREAL — February 16, 2023 — ESET researchers discovered a malware campaign that targets Chinese-speaking people in Southeast and East Asia by buying misleading advertisements to appear in Google search results that lead to downloading Trojanized installers. The unknown attackers created fake websites that look identical to those of popular applications such as Firefox, WhatsApp, Signal, Skype, and Telegram, but in addition to providing the legitimate software, also deliver FatalRAT, a remote access Trojan that grants the attacker control of the victimized computer. The attacks affected users mostly in mainland China, Hong Kong, and Taiwan, but also in Southeast Asia and Japan.
FatalRAT provides a set of functionalities to perform various malicious activities on a victim’s computer. Among other capabilities, the malware can capture keystrokes, steal or delete data stored by some browsers, and download and execute files. ESET Research observed these attacks between August 2022 and January 2023, but according to our telemetry, previous versions of the installers have been used since at least May 2022.
The attackers registered various domain names that all pointed to the same IP address: a server hosting multiple websites that download Trojanized software. Most of these websites look identical to their legitimate counterparts but deliver malicious installers instead. The other websites, possibly translated by the attackers, offer Chinese-language versions of software that is not available in China, such as Telegram. While, in theory, there are many possible ways that potential victims can be directed to these fake websites, a Chinese-language news site reported that they were being shown an advertisement that led to one of these malicious websites when searching for the Firefox browser in Google. The attackers purchased advertisements to position their malicious websites in the "sponsored" section of Google search results; we reported these ads to Google and they were promptly removed.
“Although we couldn’t reproduce such search results, we believe that the ads were only served to users in the targeted region,” explains Matías Porolli, the ESET researcher who discovered the campaign. “Since many of the domain names that the attackers registered for their websites are very similar to the legitimate domains, it is also possible that the attackers rely on URL hijacking to attract potential victims to their websites,” he adds.
“It is possible that the attackers are solely interested in the theft of information like web credentials to sell them on underground forums, or to use them for another type of crimeware campaign, but for now, specific attribution of this campaign to a known or new threat actor is not possible,” elaborates Porolli. “Finally, it is important to check the URL that we are visiting before we download software. Even better, type it into your browser’s address bar after checking that it is the actual vendor site,” advises Porolli.
For more technical information about this malware campaign, check out the blogpost “These aren’t the apps you’re looking for: Fake installers targeting Southeast and East Asia” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.
Countries where ESET detected the attacks between August 2022 and January 2023
About ESET
ESET develops software solutions that deliver instant, comprehensive protection against evolving computer security threats. ESET pioneered and continues to lead the industry in proactive threat detection. ESET NOD32 Antivirus, its flagship product, consistently achieves the highest accolades in all types of comparative testing and is the foundational product that builds out the ESET product line to include ESET Smart Security. ESET Smart Security is an integrated antivirus, antispyware, antispam and personal firewall solution that combines accuracy, speed and an extremely small system footprint to create the most effective security solution in the industry. Both products have an extremely efficient code base that eliminates the unnecessary large size found in some solutions. This means faster scanning that doesn’t slow down computers or networks. Sold in more than 160 countries, ESET has worldwide production headquarters in Bratislava, SK and worldwide distribution headquarters in San Diego, U.S. ESET also has offices in Bristol, U.K.; Buenos Aires, AR; Prague, CZ; and is globally represented by an extensive partner network. For more information, visit our local office at https://eset.version-2.sg.
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The Company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which includes Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities. For more information, please visit https://www.version-2.com.sg/ or call (65) 6296-4268.