Malicious Google Ads Target Users with Fake Messaging Apps

A persistent malvertising campaign dubbed FakeAPP has resurfaced, targeting Chinese-speaking users through deceptive Google ads promoting restricted messaging apps like Telegram. The researcher revealed in a recent report that threat actors are exploiting Google advertiser accounts to create and disseminate malicious ads, directing unsuspecting users to download Remote Administration Trojans (RATs). These malicious programs grant attackers full control over victims’ machines and the ability to introduce additional malware.

The FakeAPP campaign is an extension of a previous attack wave that initially targeted Hong Kong users searching for messaging apps like WhatsApp and Telegram on search engines in late October 2023. The latest phase of the campaign includes the messaging app LINE, redirecting users to fraudulent websites hosted on Google Docs or Google Sites.

The attackers leverage Google’s infrastructure to embed links leading to other sites under their control, delivering the malicious installer files responsible for deploying trojans like PlugX and Gh0st RAT. The researcher traced the fraudulent ads back to two advertiser accounts, Interactive Communication Team Limited and Ringier Media Nigeria Limited, both based in Nigeria. Notably, the threat actor prioritizes quantity over quality, continually introducing new payloads and infrastructure as part of their command-and-control strategy.

In a separate development, the researcher uncovered a surge in the use of a phishing-as-a-service (PhaaS) platform named Greatness, targeting Microsoft 365 users. This platform allows cybercriminals to create authentic-looking credential harvesting pages, offering personalization features such as sender names, email addresses, subjects, messages, attachments, and QR codes. Priced at $120 per month, Greatness facilitates attacks at scale by providing anti-detection measures like randomizing headers, encoding, and obfuscation to bypass spam filters and security systems.

The researcher highlighted a concerning trend of phishing attacks involving Greatness, where malicious HTML attachments in phishing emails direct recipients to fake login pages capturing their credentials, subsequently transmitted to threat actors via Telegram. The phishing emails often employ tactics like spoofing trusted sources, such as banks or employers, and creating a false sense of urgency with subjects like “urgent invoice payments” or “urgent account verification required.”

Furthermore, phishing attacks have been observed targeting South Korean companies, utilizing lures that impersonate tech companies like Kakao. These attacks distribute AsyncRAT through malicious Windows shortcut (LNK) files, disguised as legitimate documents. The users might mistake the shortcut files for normal documents, as the ‘.LNK’ extension is not visible in the file names. The extent of the victim count remains unknown, but these coordinated and sophisticated phishing tactics underscore the evolving landscape of cyber threats.

To mitigate the risks associated with malvertising campaigns like FakeAPP, users should exercise caution when clicking on online ads, especially those promoting software downloads. Employing ad blockers and keeping antivirus software updated can add an extra layer of protection against malicious ads. Additionally, organizations should invest in advanced threat detection solutions to identify and block malvertising attempts across their networks.