• ESET researchers discovered a malware campaign that targets Chinese-speaking people in Southeast and East Asia.
• The attackers purchased advertisements to position their malicious websites in the “sponsored” section of Google search results. ESET reported these ads to Google and they were promptly removed.
• The websites and installers downloaded from them are mostly in Chinese and, in some cases, falsely offer Chinese-language versions of software that is not available in China.
• We observed victims mostly in Southeast and East Asia, suggesting that the advertisements were targeting that region.
• The malware delivered by this campaign is FatalRAT, a remote access Trojan that provides a set of functionalities to perform various malicious activities on a victim’s computer.

BRATISLAVA, MONTREAL — February 16, 2023 — ESET researchers discovered a malware campaign that targets Chinese-speaking people in Southeast and East Asia by buying misleading advertisements to appear in Google search results that lead to downloading Trojanized installers. The unknown attackers created fake websites that look identical to those of popular applications such as Firefox, WhatsApp, Signal, Skype, and Telegram, but in addition to providing the legitimate software, also deliver FatalRAT, a remote access Trojan that grants the attacker control of the victimized computer. The attacks affected users mostly in mainland China, Hong Kong, and Taiwan, but also in Southeast Asia and Japan.

FatalRAT provides a set of functionalities to perform various malicious activities on a victim’s computer. Among other capabilities, the malware can capture keystrokes, steal or delete data stored by some browsers, and download and execute files. ESET Research observed these attacks between August 2022 and January 2023, but according to our telemetry, previous versions of the installers have been used since at least May 2022.

The attackers registered various domain names that all pointed to the same IP address: a server hosting multiple websites that download Trojanized software. Most of these websites look identical to their legitimate counterparts but deliver malicious installers instead. The other websites, possibly translated by the attackers, offer Chinese-language versions of software that is not available in China, such as Telegram. While, in theory, there are many possible ways that potential victims can be directed to these fake websites, a Chinese-language news site reported that they were being shown an advertisement that led to one of these malicious websites when searching for the Firefox browser in Google. The attackers purchased advertisements to position their malicious websites in the “sponsored” section of Google search results; we reported these ads to Google and they were promptly removed.

“Although we couldn’t reproduce such search results, we believe that the ads were only served to users in the targeted region,” explains Matías Porolli, the ESET researcher who discovered the campaign. “Since many of the domain names that the attackers registered for their websites are very similar to the legitimate domains, it is also possible that the attackers rely on URL hijacking to attract potential victims to their websites,” he adds.

“It is possible that the attackers are solely interested in the theft of information like web credentials to sell them on underground forums, or to use them for another type of crimeware campaign, but for now, specific attribution of this campaign to a known or new threat actor is not possible,” elaborates Porolli. “Finally, it is important to check the URL that we are visiting before we download software. Even better, type it into your browser’s address bar after checking that it is the actual vendor site,” advises Porolli.

For more technical information about this malware campaign, check out the blogpost “These aren’t the apps you’re looking for: Fake installers targeting Southeast and East Asia” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

BRATISLAVA, February 14, 2023 — ESET, a global leader in cybersecurity, today announces several enhancements to its popular ESET Cyber Security for macOS product line, designed to provide essential protection for Apple users from a variety of modern-day cyber threats. ESET Cyber Security for macOS v7.3 now features native support for ARM and automatic updates to ensure optimal protection at all times.

ARM has become increasingly popular as a chipset in recent years due to its ability to boost performance whilst keeping energy waste to a minimum, so much so that the ARM-based mobile computing market now outperforms the legacy x86-based mobile computing market in both revenue and units1.

“We’ve been working on native support for ARM for some time, to enhance the protection we can provide customers that rely upon Apple devices,” comments Mária Trnková, vice president of ESET’s Consumer and IoT segment. “The changes we have made to the underlying architecture of ESET Cyber Security for macOS bring greater stability and higher performance, making scanning quicker and more efficient than ever before.”

The new underlying ESET Cyber Security for macOS architecture is based on micro-services, meaning components run in a more secure and performance-optimal manner. This provides higher stability and resiliency, and the solution is also more lightweight than ever before. Micro-services are lighter on resources, helping to save battery life. In other words, each component of ESET Cyber Security for macOS starts only when needed and runs for its allotted time, after which it is automatically deactivated, helping to save on device resources.

The new automatic updates component of ESET Cyber Security for macOS ensures that users are provided with optimal protection, allowing the solution to find and download updates as soon as they are released.

The latest version of ESET Cyber Security for macOS also boasts an improved multilanguage installer that contains 24 different support languages. Language is set according to the system language upon installation, and the user can subsequently change it by using the macOS language and region settings. This streamlines installation and provides peace of mind for the user.

There is also a redesigned graphical user interface (GUI) for ESET Cyber Security for macOS v7.3 that fully supports dark mode in HiDPI, thus saving on device resources. Further advanced configuration will become available later in 2023.

ESET Cyber Security for macOS v7.3 includes several other components of ESET’s award-winning functionality that users have come to expect, including:

• Anti-Phishing – protecting users against malicious HTTP websites attempting to acquire their sensitive information, whether that be usernames, passwords, banking information or credit card details
• Antivirus and Antispyware – eliminating all types of modern-day threats, including viruses, worms and spyware
• Cross-platform Protection – stopping malware from spreading from macOS to Windows endpoints and vice versa. This prevents a user‘s macOS from being turned into an attack platform for Windows-targeted threats
• ESET LiveGrid® technology – whitelisting safe files based on a file reputation database in the cloud
• Web and Email Scanning – scanning websites during browsing and checking all incoming emails for viruses and other threats

“ESET Cyber Security for macOS v7.3 includes multiple layers of real-time protection, anti-phishing and web and email protection that ensure peace of mind for Apple users when browsing online,” comments Mária Trnková. “Powered by the advanced ESET LiveGrid® technology, the solution combines speed, accuracy and minimal system impact, leaving more system resources for consumer needs.”

Further information can be found here.