Share this article on:
Security researchers have uncovered a new malware campaign that has been targeting Chinese speakers throughout east and south-east Asia.
The threat actors — who so far remain unknown — offered Chinese versions of legitimate software, but with installers that could also inject a remote access trojan into a victim’s device. Most attacks took place in China, Taiwan, and Hong Kong, but other countries affected included Thailand, Malaysia, and Singapore.
The key to the attack’s success was to create advertisements leading to look-alike sites of popular applications such as Chrome, Firefox, and Telegram, which would end up in the sponsored part of Google searches. Some of the software isn’t available in China, making the offer even better for some users wanting access to programs like Telegram.
“We couldn’t reproduce such search results,” said researchers at ESET in a blog post, “but believe that the ads were only served to users in the targeted region”.
All the registered fake domains were close in spelling to the originals, possibly making use of typo-squatting. For instance, telegraem[.]org compared to telegram.org.
The malware attack uses a number of ways to obfuscate itself, but at the same time, the code includes a few errors, as well, such as installing some instructions to incorrect subdirectories.
Nonetheless, the actual malicious payload is still installed, which is the FatalRAT trojan. This malware is capable of executing shell commands, stealing data from a range of browsers (including Chrome and Firefox, as well as two Chinese-language browsers), capturing keystrokes, and changing screen resolution.
FatalRAT is at least two years old, and a number of variants have been noted in circulation by security researchers.
“It is possible that the attackers are solely interested in the theft of information like web credentials to sell them on underground forums or to use them for another type of crimeware campaign,” ESET’s researchers conclude, “but for now, specific attribution of this campaign to a known or new threat actor is not possible”.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.