Consumers in China who want to access banned communications apps like Telegram are being targeted by threat actors looking to deploy various types of malware.
This is evident from a new report from Malwarebytes’ Jérôme Segura, who discovered that unnamed hackers used two Google Ads accounts to publish malicious ads.
The accounts, both from Nigeria, have previously been compromised or built from scratch for this specific use.
Bypass MFA
The accounts were used to create advertisements that pointed to pages posing as download sites for Telegram, WhatsApp, LINE and other communications apps banned in the countries beyond the Great Firewall. Consumers who previously searched for these apps online are targeted and shown these ads. Those who fall into the trap and download the apps end up receiving PlugX and Gh0st RAT malware variants.
“It also appears that the threat actor is choosing quantity over quality by continually pushing new payloads and infrastructure as command-and-control,” Segura said in the report.
The campaign appears to be a continuation of the campaign called FakeAPP, which targeted Hong Kong users in a similar manner in late October last year.
Malicious ads are nothing new. Hackers are always on the hunt, not just for Google Ads accounts, but also for Facebook Business accounts, which are used to serve ads on the Facebook platform. Because all ads go through multiple hoops before they’re allowed to appear, having a verified account that has had legitimate, active campaigns in the past increases the chances for threat actors to sneak their own campaigns.
As usual, the best way to fight back is to create strong passwords for such accounts and update them regularly. It also helps if MFA is enabled. On the consumer side, it’s best to use common sense and be skeptical of things that sound too good to be true. Consumers should also pay attention to the URLs of the websites they visit, typing in the addresses instead of searching for things whenever possible, and staying away from hacked, cracked, and jailbroken software.
Through The hacker news