Consumers in China seeking to access banned communications apps, such as Telegram, are being targeted by threat actors seeking to deploy various malware.
This is according to a new report from Jérôme Segura of Malwarebytes, who discovered that anonymous hackers have been using two Google Ads accounts to serve malicious ads.
The accounts, both from Nigeria, were previously compromised or created from scratch for this particular use.
Without going through MFA
The accounts were used to create ads targeting pages purporting to be download sites for Telegram, WhatsApp, LINE, and other communication apps banned in lands beyond the Great Firewall. Consumers who previously searched for these apps online are targeted and shown these ads. Those who fall into the trap and download the applications end up receiving PlugX and Gh0st RAT malware variants.
“It also appears that the threat actor favors quantity over quality by constantly pushing new payloads and infrastructure such as command and control,” Segura said in the report.
The campaign appears to be a continuation of the so-called FakeAPP, in which Hong Kong users were similarly attacked in late October last year.
Malicious ads are nothing new. Hackers are always on the hunt, not only for Google Ads accounts, but also for Facebook business accounts, which are used to run ads on the Facebook platform. As all ads go through multiple hoops before they are allowed to run, having a verified account that has already had legitimate and active campaigns in the past increases the chances of threat actors smuggling their own campaigns.
As always, the best way to fight back is to create strong passwords for such accounts and update them regularly. Having MFA enabled also helps. From the consumer's point of view, it is best to use common sense and be skeptical of things that sound too good to be true. Consumers should also be aware of the URLs of the websites they visit, write down addresses instead of searching for things whenever possible, and stay away from pirated, cracked, and jailbroken software.
Via The Hacker News