Consumers in China looking to access banned communications apps such as Telegram are being targeted by threat actors looking to deploy various malware.

This is according to a new report from Malwarebytes’ Jérôme Segura, who found unnamed hackers have been using two Google Ads accounts to publish malicious ads. 

The accounts, both from Nigeria, were either previously compromised, or built from scratch for this particular use.

Bypassing MFA

The accounts were used to create ads pointing to pages pretending to be download sites for Telegram, WhatsApp, LINE, and other communications apps forbidden in the lands beyond the Great Firewall. Consumers who were previously searching for these apps online are targeted, and being displayed these ads. Those who fall for the trap and download the apps end up receiving PlugX and Gh0st RAT malware variants. 

“It also appears that the threat actor privileges quantity over quality by constantly pushing new payloads and infrastructure as command-and-control,” Segura said in the report. 

The campaign seems to be a continuation of the campaign called FakeAPP, which saw Hong Kong users targeted in a similar manner, in late October last year. 

Malicious ads are nothing new. Hackers are always on the hunt, not just for Google Ads accounts, but also for Facebook Business accounts, used to run ads on the Facebook platform. As all ads go through multiple hoops before they are allowed to run, having a verified account that already had legitimate, active campaigns, in the past, increases the chances for threat actors to smuggle their own campaigns. 

As usual, the best way to fight back is to create strong passwords for such accounts, and update them regularly. Having MFA enabled also helps. On the consumer side of things, it’s best to use common sense and be skeptical of things sounding too good to be true. Consumers should also mind the URL of the websites they’re visiting, type in the addresses instead of searching for things whenever possible, and stay away from hacked, cracked, and jailbroken software.

Via The Hacker News

More from TechRadar Pro

Services MarketplaceListings, Bookings & Reviews

Entertainment blogs & Forums