Malwarebytes Exposes Malicious Google Ads Campaign Targeting Chinese Speakers

Security experts from Malwarebytes have recently uncovered a malicious campaign targeting Chinese-speaking users, who fell victim to cybercriminals through the Google Ads advertising service.

Cybercriminals exploited Google advertiser accounts to create fraudulent ads that redirected users to web pages from where a Remote Access Trojan (RAT) was downloaded. This program allows attackers to gain complete control over the victim’s computer and install any additional malicious applications.

The campaign, dubbed FakeAPP, is an extension of attacks initiated in October 2023 against users in Hong Kong attempting to download messaging applications like WhatsApp and Telegram.

During the attack, users are redirected to fake websites hosted on platforms like Google Docs and Google Sites. Google’s infrastructure is employed to embed links to sites controlled by the attackers for downloading trojan installers, such as PlugX and Gh0st RAT.

In the latest version of the campaign, the target audience has been expanded to include another popular messenger app, LINE, as new bait.

Malwarebytes traced the fraudulent ads back to two advertiser accounts: Interactive Communication Team Limited and Ringier Media Nigeria Limited, based in Nigeria. It is noted that cybercriminals prefer quantity over quality, continually updating their list of malicious programs and expanding their infrastructure.

Overall, Google Ads is a popular tool exploited by cybercriminals worldwide. Recently, we reported on how sponsored Google ads are used by hackers to distribute free Windows software, into which malicious code is deliberately embedded.

To avoid falling victim to similar attacks, users should exercise caution online — verify links, files, and applications before downloading, and utilize antivirus software.