Google Ads drop FatalRAT malware from fake messenger, browser apps

The primary target of this malware campaign is Chinese-speaking users in East and Southeast Asia.
Find out how Google Ads have been spreading FatalRAT malware recently in fake utility, messenger and browser apps. Learn more about this alarming security issue and how to protect yourself.

Researchers from the Slovak cybersecurity firm ESET have discovered a new malware campaign targeting Chinese-speaking users in East and Southeast Asia.

According to a report published by ESET researchers, hackers are delivering remote access Trojans hidden inside malicious Google ads. These misleading ads appear in Google search results and download Trojans installers.

This should not come as a surprise, as Google Ads and Google Adsense have been abused lately to deliver malware around the world.

Researchers at ESET noted that the attackers remain unidentified. However, it is confirmed that they are targeting Chinese-speaking individuals. They have designed fake websites that look identical to popular apps like WhatsApp, Firefox, or Telegram.

Through these websites, the attackers deliver remote access Trojans, such as FatalRAT, first detected by AT&T researchers in 2021, to hijack the infected device. Some of the spoofed apps include:

  • LINE
  • Signal
  • Skype
  • Youdao
  • Electrum
  • Telegram
  • WhatsApp
  • WPS Office
  • Mozilla Firefox
  • Google Chrome
  • Sogou Pinyin Method

Researchers discovered the attacks between August 2022 and January 2023. The attack starts by purchasing an ad slot appearing in Google search results.

“The attackers purchased advertisements to position their malicious websites in the “sponsored” section of Google search results. We reported these ads to Google, and they were promptly removed,” researchers explained.

Users who search for popular apps are directed to rogue websites with typosquatting domains that host trojanized installers. These installers install the actual app as the user requires, to avoid raising suspicion.

Fake Google Chrome and Telegram websites spreading fake installers infected with FatalRat malware

The FatalRAT malware used in this campaign contains numerous commands to manipulate data from various browsers.

“The websites and installers downloaded from them are mostly in Chinese and in some cases falsely offer Chinese language versions of software that is not available in China,” researchers wrote in their technical report published today.

The downloaded installers aren’t hosted on the same server as the sites, but in Alibaba Cloud Object Storage Service, and are digitally signed MSI files. The installers were uploaded to the cloud storage on 6th January 2023.

After the malware is deployed, the attacker gains full control of the device and can execute arbitrary shell commands, run executables, steal data from web browsers, and log keystrokes.

This campaign has no specific targets, as the attackers want to steal exclusive user data, such as web credentials, to sell them on underground hacker forums or launch additional cybercrime campaigns. However, in their report, ESET researchers noted that most victims were located in the following countries:

  • China
  • Taiwan
  • Japan
  • Malaysia
  • Thailand
  • Indonesia
  • Myanmar
  • Philippines
  • Hong Kong

Detection and protection from fake malicious installers

Fake, malicious installers can be a significant threat to your computer and personal data. To detect and protect against them, here are some steps you can take:

  • First and foremost, use common sense when downloading files. Never download software, or anything else, from a third-party site. Download software only from trusted sources: Download software only from reputable websites, and avoid downloading from unverified sources.
  • Verify the authenticity of the website: Check the website’s URL for spelling errors, and look for security badges and trust seals on the site. For example, it’s, not ɢ
  • Use reliable anti-virus software: Use reliable anti-virus software and keep it updated to protect your computer from malicious software.
  • Read reviews and comments: Read reviews and comments about the software before downloading it; this will give you an idea of the software’s authenticity.
  • Scan downloaded files: Use anti-virus software to scan the downloaded file before installing it. You should also use VirusTotal to check whether the file is malicious or if the URL you are about to visit is safe.
  • Use sandboxing software: Use sandboxing software that can run the installer in a virtual environment, keeping your system safe from any potential harm.
  • Enable security features: Enable security features on your computer, such as a firewall, to prevent unauthorized access to your system.

  1. Jupyter infostealer delivered through MSI installer
  2. Fake Zoom installers infect PCs with RevCode RAT
  3. Fake 1Password installer stealing user extract data
  4. Fake Tor browser installer drop malware via YouTube
  5. Fake Windows 11 installers infecting PCs with adware
Related Posts