{"id":23795,"date":"2024-01-25T14:10:05","date_gmt":"2024-01-25T22:10:05","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2024\/01\/25\/news-17525\/"},"modified":"2024-01-25T14:10:05","modified_gmt":"2024-01-25T22:10:05","slug":"news-17525","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2024\/01\/25\/news-17525\/","title":{"rendered":"Malicious ads for restricted messaging applications target Chinese users"},"content":{"rendered":"\n<p>An <a href=\"https:\/\/www.malwarebytes.com\/blog\/threat-intelligence\/2023\/10\/hong-kong-residents-targeted-in-malvertising-campaigns-for-whatsapp-telegram\">ongoing campaign<\/a> of malicious ads has been targeting Chinese-speaking users with lures for popular messaging applications such as Telegram or LINE with the intent of dropping malware. Interestingly, software like Telegram is heavily restricted and was previously <a href=\"https:\/\/hongkongfp.com\/2015\/07\/13\/china-blocks-telegram-messenger-blamed-for-aiding-human-rights-lawyers\/\">banned<\/a> in China.<\/p>\n<p>Many Google services, including Google search, are also either restricted or heavily censored in mainland China. Having said that, many users will try to circumvent those restrictions by using various tools such as VPNs.<\/p>\n<p>The threat actor is abusing Google advertiser accounts to create malicious ads and pointing them to pages where unsuspecting users will download Remote Administration Trojan (RATs) instead. Such programs gives an attacker full control of a victim&#8217;s machine and the ability to drop additional malware.<\/p>\n<p>It may not be a coincidence that the malvertising campaigns are primarily focused on restricted or banned applications. While we don&#8217;t know the threat actor&#8217;s true intentions, data collection and spying may be one of their motives. In this blog post, we share more information about the malicious ads and payloads we have been able to collect.<\/p>\n<h2 class=\"wp-block-heading\" id=\"h-malicious-ads\">Malicious ads<\/h2>\n<p>Visitors to google.cn are redirected to google.com.hk where searches are said to be <a href=\"https:\/\/googleblog.blogspot.com\/2010\/03\/new-approach-to-china-update.html\">uncensored<\/a>. Doing a lookup for &#8216;telegram&#8217; we see a sponsored search result.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"649\" height=\"271\" src=\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/01\/image_0a9279.png\" alt=\"\" class=\"wp-image-102738\" \/><\/figure>\n<p>The following description is associated with this ad:<\/p>\n<blockquote class=\"wp-block-quote\">\n<p>TeIegram official application &#8211; TeIegram Chinese version download docs.google.com https:\/\/docs.google.com \u203a 2024 \u203a Official download Latest Telegram Understand your users Androd needs and engage them with relevant personalized solutions in real time. One of the top 5 most downloaded apps in the world with over 700 million active users.<\/p>\n<\/blockquote>\n<p>Here is an ad for &#8216;LINE&#8217;<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"644\" height=\"269\" src=\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/01\/image_288ba3.png\" alt=\"\" class=\"wp-image-102741\" \/><\/figure>\n<p>Description:<\/p>\n<blockquote class=\"wp-block-quote\">\n<p>LINE is the largest communication platform that provides an end-to-end encrypted experience, allowing cross-platform communication across mobile phones, computers, tablets, etc. Simple, reliable, and free* private messages and calls can be used around the world.<\/p>\n<\/blockquote>\n<p>We identified two advertiser accounts behind those ads, both of them being associated with a user profile in Nigeria:<\/p>\n<ul>\n<li><a href=\"https:\/\/adstransparency.google.com\/advertiser\/AR05402290404135534593?origin=ata&amp;region=anywhere\">Interactive Communication Team Limited<\/a><\/li>\n<li><a href=\"https:\/\/adstransparency.google.com\/advertiser\/AR04771542639600205825?origin=ata&amp;region=anywhere\">Ringier Media Nigeria Limited<\/a><\/li>\n<\/ul>\n<p>Due to the number of ads for each of these accounts (including many unrelated to these campaigns), we believe they may have been taken over by the threat actors.<\/p>\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1027\" height=\"766\" src=\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/01\/image_cdab8b.png?w=1024\" alt=\"\" class=\"wp-image-102556\" \/><\/figure>\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1026\" height=\"769\" src=\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/01\/image_e99fcb.png?w=1024\" alt=\"\" class=\"wp-image-102557\" \/><\/figure>\n<h2 class=\"wp-block-heading\" id=\"h-infrastructure\">Infrastructure<\/h2>\n<p>This threat actor seems to rely on Google infrastructure in the form of Google Docs or Google sites. This allows them to insert links for the download or even redirect to other sites they control.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"845\" height=\"866\" src=\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/01\/image_55c68b.png\" alt=\"\" class=\"wp-image-102558\" \/><\/figure>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"858\" height=\"684\" src=\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/01\/image_48c919.png\" alt=\"\" class=\"wp-image-102456\" \/><\/figure>\n<h2 class=\"wp-block-heading\" id=\"h-malware-payloads\">Malware payloads<\/h2>\n<p>We collected a number of payloads from this campaign, all in MSI format. Several of those used a technique known as DLL side-loading, which consists of combining a legitimate application with a malicious DLL that gets loaded automatically.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"410\" height=\"365\" src=\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/01\/image_d1bd00.png\" alt=\"\" class=\"wp-image-102571\" \/><\/figure>\n<p>In the example above, the DLL is signed with a now revoked certificate from <em>Sharp Brilliance Communication Technology Co., Ltd.<\/em> which was also recently used to sign a <a href=\"https:\/\/mahmoudzohdy.github.io\/posts\/re\/plugx\/\">PlugX RAT sample<\/a>. (PlugX is a RAT from China that also performs DLL side-loading).<\/p>\n<p>Not all dropped malware is new, in fact some were previously used in other campaigns and are variants of Gh0st RAT.<\/p>\n<h2 class=\"wp-block-heading\" id=\"h-active-threat\">Active threat<\/h2>\n<p>A website and forum (bbs[.]kafan[.]cn) dedicated to security frequented by Chinese users keeps up with malware from these campaigns that they refer to as FakeAPP.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"841\" height=\"685\" src=\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/01\/image_a0b835.png\" alt=\"\" class=\"wp-image-102734\" \/><\/figure>\n<p>It also appears that the threat actor privileges quantity over quality by constantly pushing new payloads and infrastructure as command and control.<\/p>\n<p>Online ads are an effective way to reach a certain audience, and of course they can be misused as well. People (such as activists) that live in countries where encrypted communication tools are banned or restricted will attempt to bypass these measures. It appears that a threat actor is luring potential victims with such ads.<\/p>\n<p>The payloads are consistent with threats observed in the South Asia region, and we see similar techniques such as DLL side-loading that is quite popular with many RATs. This type of malware is ideal to gather information about someone and silently dropping additional components if and when necessary.<\/p>\n<p>We have notified Google regarding the malicious ads and have reported the supporting infrastructure to the relevant parties.<\/p>\n<p>Malwarebytes detects the malicious payloads upon execution. <\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"476\" height=\"302\" src=\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/01\/image_996698.png\" alt=\"\" class=\"wp-image-102823\" \/><\/figure>\n<h2 class=\"wp-block-heading\" id=\"h-indicators-of-compromise\">Indicators of Compromise<\/h2>\n<p>Fake domains<\/p>\n<pre class=\"wp-block-preformatted\">telagsmn[.]com<br>teleglren[.]com<br>teleglarm[.]com<\/pre>\n<p>Redirectors<\/p>\n<pre class=\"wp-block-preformatted\">5443654[.]site<br>5443654[.]world<\/pre>\n<p>Payloads<\/p>\n<pre class=\"wp-block-preformatted\">CS-HY-A8-bei.msi 63b89ca863d22a0f88ead1e18576a7504740b2771c1c32d15e2c04141795d79a  w-p-p64.msi a83b93ec2a5602d102803cd02aecf5ac6e7de998632afe6ed255d6808465468e  mGtgsotp_zhx64.msi acf6c75533ef9ed95f76bf10a48d56c75ce5bbb4d4d9262be9631c51f949c084  cgzn-tesup.msi ec2781ae9af54881ecbbbfc82b34ea4009c0037c54ab4b8bd91f3f32ab1cf52a  tpseu-tcnz.msi c08be9a01b3465f10299a461bbf3a2054fdff76da67e7d8ab33ad917b516ebdc<\/pre>\n<p>C2s<\/p>\n<pre class=\"wp-block-preformatted\">47.75.116[.]234:19858 216.83.56[.]247:36061 45.195.148[.]73:15628<\/pre>\n<p><a href=\"https:\/\/www.malwarebytes.com\/blog\/threat-intelligence\/2024\/01\/malicious-ads-for-restricted-messaging-applications-target-chinese-users\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p> Chinese speaking users looking for Telegram, or LINE are being targeted with malicious ads. Instead of downloading the legitimate application, they install malware. <\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[17594,10531,12040],"class_list":["post-23795","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-chinese","tag-malvertising","tag-threat-intelligence"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/23795","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=23795"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/23795\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=23795"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=23795"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=23795"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}