Severity: High

Summary of Research:

The current ongoing aggressive advertising campaign with deceptive Google ads promoting banned messaging systems such as Telegram specifically targets Chinese-speaking individuals In this system, attackers' Google advertiser accounts risk malicious advertising. When users click on these ads, they are redirected to websites that secretly download remote access Trojans (RATs) to their devices, thus allowing threats to prey on the victim’s device so completely.

Known as "FakeAPP", the campaign is an extension of an attack previously detected in October 2023, which specifically targeted users browsing messaging platforms such as WhatsApp and Telegram in Hong Kong Marketing the latter has expanded to include the LINE messaging app, . directing users to fake websites hosted on Google Docs or Google Sites Using Google's policy, attackers insert links to other websites under their control to distribute an installer file malicious types and use trojans such as Gh0st RAT and PlugX.

The investigators found that these fraudulent ads were linked to two advertiser accounts in Nigeria. Threat actors seem to prioritize quantity over quality, constantly introducing new malicious payloads and infrastructures for order control (C2) purposes and in addition, phishing-as-a-service (PhaaS) a it is known as "Greatness". -A notable improvement in the usability of the platform is the creation of credential harvesting pages that realistically mimic legitimate Microsoft 365 login portals, targeting unsuspecting users.



The tool empowers threat actors to generate a variety of features such as sender name, email subject line, address, message content, attachments, and QR codes. Anti-detection features such as encoding, header randomization and obfuscation are built-in, making it easier to evade spam filters and security measures. Available for purchase on the Dark Web for $120 per month, Greatness lowers the barrier to entry, allowing attacks to be carried out on a large scale.

The attack sequence begins with the sending of phishing emails containing malicious HTML attachments. By opening these attachments, recipients are redirected to fake login pages designed to collect their credentials, which are then sent to the threat actor via Telegram On the other hand, attachments can carry malware overwhelm the victim’s system, facilitating data theft.

To make the phishing campaign more effective, the emails are disguised as emergency communications from trusted institutions such as banks or employers. They create a sense of urgency by using headlines such as "invoice payable immediately" or "requires proof of account immediately." The exact number of victims is still unknown; However, Greatness prides itself on being widely used and supported by its Telegram team, which offers guidance on usage along with other options.



Recently, researchers have noticed an increase in phishing attacks against South Korean companies. This attack uses fraudulent baits masquerading as tech companies, which act as a way to distribute AsyncRAT with malicious Windows shortcut (LNK) files. The use of shortcuts emerged as the preferred tactic of threat actors, which they tried to deliver. Because the .LNK extension is still hidden in file names, users may misunderstand these shortcuts as regular documents.

Impact

  • Sensitive Data Theft
  • Credential Theft

Indicators of Compromise

Domain Name:

  • telagsmn.com
  • teleglren.com
  • teleglarm.com
  • 5443654.site
  • 5443654.world

MD5

  • 833128952da9a0668d3ca26c248c4267
  • 80a96c471bd176e72b7fd0706da754d2
  • 21b0773be7bb8c0815629383cb22c58d
  • 04ea85b8ba79c2683c9d17104d593fdf
  • 524d1b299fc24be90d726ff4e4d3582c

SHA-256:

  • 63b89ca863d22a0f88ead1e18576a7504740b2771c1c32d15e2c04141795d79a
  • a83b93ec2a5602d102803cd02aecf5ac6e7de998632afe6ed255d6808465468e
  • acf6c75533ef9ed95f76bf10a48d56c75ce5bbb4d4d9262be9631c51f949c084
  • ec2781ae9af54881ecbbbfc82b34ea4009c0037c54ab4b8bd91f3f32ab1cf52a
  • c08be9a01b3465f10299a461bbf3a2054fdff76da67e7d8ab33ad917b516ebdc

SHA-1

  • 75349c4f319c16ffb7e90d427a8339d144a33104
  • 5bd9489af3be1b98c112902dbbe7f1ae3c5020df
  • 632fd0692a5156be605ab760336cd55f0e8aa7ac
  • 33194529cc04867e37cd7c2342359482ca1a7292
  • d7413cf46363eea6779ab986f33a4c2c664979f2

Remediation:

  • Block all threat indicators at your respective controls.
  • Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders.
  • Implement ongoing phishing awareness training for partners and staff.
  • Implement a web application firewall to filter out malicious traffic and protect against common web-based threats.
  • Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.
  • Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
  • Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
  • Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
  • Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
  • Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
  • Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
  • Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
  • Be vigilant and thoroughly check the URL to see if it’s legitimate before downloading apps.