According to a new study, the FatalRAT malware, which spreads via bogus websites for well-known apps, targets Chinese-speaking people. FatalRat malware, which was first identified in August 2021, has the ability to record keystrokes, alter the screen resolution of a victim, download and run files, and steal or destroy browser data.
The researchers from the cybersecurity firm ESET have yet to link this campaign to any well-known hacker organization, and it is unclear what the attackers hope to achieve. They might be stealing data, such as web credentials, to resell on darknet markets or use in other illegal activities.
The majority of the attacks, which mostly targeted users in Taiwan, China, and Hong Kong, were noted between August 2022 and January 2023. Malaysia, Japan, the Philippines, Thailand, Singapore, Indonesia, and Myanmar also reported a limited number of cases.
FatalRAT Malware Dropped By The Malicious Installers
Through false websites for well-known applications like Google Chrome, Firefox, Telegram, WhatsApp, Signal, and Skype, hackers were able to spread the FatalRat malware. Some of the websites featured fake Chinese language versions of programs like Telegram that are not accessible in China.
Hackers advertised harmful websites in Google search results to get consumers to visit them. ESET claimed that they were taken down after reporting these adverts to Google. Attackers attempted to mimic real names in the domain names of fraudulent websites.
Additionally, malicious websites had some that were translated into Chinese that looked much like real ones. To escape detection, the trojanized installers downloaded from the fake websites and installed the actual application on the user’s device. These installers have digital signatures on them. The free Windows installer program produces MSI documents.
The loader and the files required to operate the FatalRAT malware were dropped by the malicious installers, who also ran them. This campaign’s FatalRAT version and the one described in 2021 “are extremely similar.”
The earlier iteration of the malware was disseminated through forums and Telegram groups and concealed in malicious links to phony media content or software.
It could do various tests before thoroughly infecting a system, checking for the presence of different virtual machine products, disk space, or the number of physical processors. It also employed obfuscation techniques and antivirus evasion.
According to ESET, the assault might have affected anyone, given the wide variety of individuals targeted in the most recent campaign and the malware’s ability to modify data from various browsers.
Defense Against Harmful Fake Installations
Fake or malicious installers might pose a severe risk to your computer and personal data. Following are some actions you can take to find them and defend against them:
- Use common sense when downloading files; never download anything from a third-party website, including software. Only download software from reliable sources: Avoid downloading software from unreliable sources and only from recognized websites.
- Check to see if the webpage is legitimate, look for security and trust seals on the website, and check the URL for spelling mistakes.
- Use trustworthy antivirus programs to safeguard your computer against harmful malware, use reputable anti-virus software, and keep it updated.
- Review evaluations and remarks before installing the software, and read reviews and comments about it to understand its legitimacy.
- Examine downloaded files before installing an item, and scan it using antivirus software. To determine whether the file is harmful or whether the URL you are about to visit is secure.
- Sandboxing software usage using sandboxing software will protect your system from any potential damage by allowing the installer to execute in a virtual environment.
- Activate the security features to prevent unwanted access to your system, and turn on security tools like a firewall on your computer.
- Pay attention to any security alerts from your browser; many browsers have security scanners built-in that notify you before you visit a harmful website or download a file.
- Purchase renowned software straight from the developer. Malware is more likely to be present on websites that provide a wide variety of browsers, PDF readers, and other typical applications for free.
Conclusion
Chinese-speaking users in East and Southeast Asia are the target of a new malware campaign, according to researchers from the Slovak cybersecurity company ESET. Researchers from ESET claim that hackers are using harmful Google ads to distribute remote access to Trojans. These misleading adverts might download Trojan software and show up in Google search results. This should not be shocking, given the recent misuse of Google Ads and Google Adsense to spread malware around the globe.
ESET researchers observed that the attackers are still unknown. It is known that they are specifically going after people who speak Chinese, though. They have created fake websites that mimic well-known applications like WhatsApp, Firefox, or Telegram. Attackers use these websites to spread remote access to Trojans like FatalRAT, which AT&T researchers first discovered in 2021, to take control of the infected device.
