An ongoing campaign of malicious ads is actively targeting Chinese-speaking users, luring them with promises of popular messaging applications like Telegram and LINE. Remarkably, these applications are heavily restricted and were previously banned in China, adding intrigue to the threat actors’ tactics. The malicious ads exploit Google advertiser accounts to direct users to pages where they unwittingly download Remote Administration Trojans (RATs), providing attackers full control over victims’ machines and the ability to introduce additional malware.
Notably, the malvertising campaigns focus on applications facing restrictions or bans, raising questions about the threat actor’s intentions. While the true motives remain unclear, data collection and spying are plausible objectives. The article emphasizes the use of Google infrastructure, including Google Docs and Google sites, by the threat actor, allowing them to insert download links or redirect users. Malware payloads collected from this campaign, primarily in MSI format, exhibit techniques like DLL side-loading, a method favored by RATs. Malwarebytes has taken proactive measures by notifying Google about the malicious ads and reporting the associated infrastructure.
