Two campaigns targeted at Hong Kong residents used malvertising to push fake WhatsApp Web and Telegram pages, tricking victims into scanning QR codes or downloading malware. The operators aimed to steal data, impersonate accounts, and compromise devices, with Google and partners taking down the related infrastructure. #WhatsApp #Telegram #HongKong #Malvertising #QRCode #LawrenceWork #aliyuncs
Keypoints
- Malvertising campaigns targeted Hong Kong residents using WhatsApp and Telegram ads to drive QR-code linking and malware delivery.
- WhatsApp campaign uses a fake WhatsApp Web page and QR-code flow to add the attacker’s device to the victim’s account, enabling access to chats and contacts.
- A lookalike WhatsApp domain lawrencework.com and associated pages were used to generate QR codes; the domain was registered just two days earlier.
- A separate Telegram ad campaign links to a malware MSI installer hosted at kolunite.oss-ap-southeast-7.aliyuncs.com/HIP-THH-19-1.msi, with hash 36d11b18d3345ff743f7b003d10a0820c8c1661dd7dc279434e436de798c3a4b.
- The campaigns were linked to a single advertiser; both lead to data theft, impersonation, and malware, with potential political motive considered but not evidenced.
- Observed indicators of compromise include malicious WhatsApp domains suaa.vvg2rt.top and wss.f8ddcc.com, a QR-code hostname 119srv.lawrencework.com, and the Telegram MSI URL and hash.
MITRE Techniques
- [T1189] Drive-by Compromise – Malvertising delivers lookalike pages to victims, enabling initial access through risky redirects and QR code prompts. ‘Malvertising is a powerful malware or scam delivery mechanism that makes it easy to target specific geographies or even users.’ ‘Clicking on the ad leads to a convincing lookalike site in Chinese that pretends to be WhatsApp Web.’
- [T1566.002] Phishing: Spearphishing Link – The decoy WhatsApp/Telegram pages lure users to scan a QR code to link a device. ‘The decoy sites we saw used a similar page than the web version of WhatsApp to trick victims into scanning a QR code to link their new device.’
- [T1036] Masquerading – The lookalike site pretends to be WhatsApp Web. ‘a convincing lookalike site in Chinese that pretends to be WhatsApp Web’
- [T1105] Ingress Tool Transfer – The Telegram MSI installer is downloaded from a remote URL. ‘The two links (identical) download an MSI installer from the following URL: kolunite.oss-ap-southeast-7.aliyuncs[.]com/HIP-THH-19-1.msi’
- [T1204.002] User Execution – The MSI is malware-injected and requires execution to install. ‘This installer has been injected with malware, which we can see once we execute it.’
Indicators of Compromise
- [Domain] Malicious WhatsApp domains – suaa.vvg2rt.top, wss.f8ddcc.com
- [Hostname] QR code hostname – 119srv.lawrencework.com
- [URL] Telegram MSI URL – kolunite.oss-ap-southeast-7.aliyuncs.com/HIP-THH-19-1.msi
- [Hash] Telegram MSI hash – 36d11b18d3345ff743f7b003d10a0820c8c1661dd7dc279434e436de798c3a4b