Google Ads Malware Installs FatalRat Trojans On Devices To Gain Full Control

Slovak cybersecurity researchers have discovered that Google Ads is being used by hackers to install remote access malware, such as FatalRat, to gain complete control of targeted devices.

ESET, a cybersecurity firm based in Slovakia, published a technical report this week about the new malware campaign that targets Chinese-speaking users in East and Southeast Asia, HackRead reported.

According to the researchers, hackers inject remote access Trojans into malicious Google ads that encourage users to download them to their devices.

Hackers purchase ad slots to appear in Google search results and redirect users looking for popular apps to malicious websites hosting trojan installers.

"The attackers purchased advertisements to position their malicious websites in the 'sponsored' section of Google search results. We reported these ads to Google, and they were promptly removed," ESET researchers said.

"The attackers have expended some effort regarding the domain names used for their websites, trying to be as similar to the official names as possible," the researchers added.

Cybercriminals used the FatalRat malware as it contains numerous commands to manipulate data from various browsers.

Some of the spoofed applications include Line, Signal, Skype, Youdao, Electrum, Telegram, WhatsApp, WPS Office, Mozilla Firefox, Google Chrome and Sogou Pinyin Method.

After the malware is deployed to victims' devices, the hackers gain full control of the devices and can steal data from users' web browsers, run malicious files and capture keystrokes.

The attackers would sell the stolen user data, such as web credentials, to underground hacker forums or use them for other cybercrime campaigns.

According to the report, most victims were located in China, Taiwan, Japan, Malaysia, Thailand, the Philippines, Indonesia, Myanmar and Hong Kong.

"The websites and installers downloaded from them are mostly in Chinese and in some cases falsely offer Chinese language versions of software that is not available in China," researchers wrote.

Researchers unearthed the FatalRat malware campaign between August 2022 and January 2023, but Google Ads and Google AdSense have been long exploited by hackers to deliver malware across the globe.

In December 2022, the Federal Bureau of Investigation (FBI) warned the public about regarding the same tactic.

"These advertisements have also been used to impersonate websites involved in finances, particularly cryptocurrency exchange platforms. These malicious sites appear to be real exchange platforms and prompt users to enter login credentials and financial information, giving criminal actors access to steal funds," the FBI said.

The FBI advised the public to check the URL first to ensure the website is authentic, use the business' official website URL instead of searching it and install an ad block extension to their web browsers to block malicious ads.

The FBI has also urged businesses to educate their consumers about their official websites and use domain protection services to avoid being spoofed by hackers.

It also asked victims to report fraudulent activities to their Internet Crime Complaint Center at www.ic3.gov.