Viruses in advertising: criminals disguise malware in Google Ads

Cyber ​​criminals manage to distribute malware through a fraudulent Google Ads campaign.


The increase in cyberattacks in the last couple of years is undeniable , and criminal strategies continue to adapt their skills to less suspicious environments and to be able to access privileged data from our accounts or devices. Now, it is the Google advertising platform that is the center of the alerts.

The cybersecurity firm ESET has detected in Southeast Asia a type of scam based on fraudulent Google Ads campaigns that distribute the FatalRAT Trojan on computers that click on certain ads.

In a report shared on Twitter from the ESET research account, it highlights targets distributed throughout this area of ​​the world, focusing on China, Taiwan, Hong Kong, Malaysia, Japan, the Philippines, Thailand, Singapore, Indonesia and Burma.

Unknown attackers created fake websites that look identical to popular apps like Firefox, WhatsApp, or Telegram; but, in addition to providing the legitimate software, they also deliver FatalRAT, a remote access Trojan that gives the attacker control of the victim computer”, ESET highlights in the report.

Following the publication of this finding, the ads were removed from the Google Ads system.

Malware through Google Ads

According to the research, the attackers take advantage of the Google Ads system to appear in the search engine as a featured result when users search for popular apps and their installers.

In addition to those mentioned above, ESET points out that Google Chrome, LINE, Signal, Skype, Electrum, Sogou Pinyin Method, Youdao and WPS Office are the brands with the highest recurrence in searches.

The report claims that the URLs used by criminals contain some intentional misspellings to “look like” legitimate domains to deliver an installer file with FatalRAT malware, a remote access Trojan documented since August 2021.

Once installed, this malicious code achieves full control of the infected computer, including executing commands and files, as well as collecting data from browsers and capturing everything we type on the keyboard.

“Attackers may only be interested in stealing information such as web credentials to sell on underground forums or use for another type of criminal software campaign,” ESET clarifies, “but for now the specific attribution of this campaign to an actor of known or new threats is impossible.”