The financially motivated threat actor known as FIN7 has recently been found utilizing malicious Google ads to impersonate well-known brands, ultimately leading to the distribution of NetSupport RAT malware. This tactic was uncovered by cybersecurity firm eSentire, which identified the threat actor leveraging sponsored Google ads to deliver MSIX installers that result in the deployment of the NetSupport RAT.
FIN7, also known as Carbon Spider and Sangria Tempest, is a persistent e-crime group that has been active since 2013. Initially focusing on attacks targeting point-of-sale devices to steal payment data, the group has since transitioned to breaching large firms through ransomware campaigns. Over the years, FIN7 has refined its tactics and malware arsenal, utilizing various custom malware families such as BIRDWATCH, Carbanak, DICELOADER, POWERPLANT, POWERTRASH, and TERMITE.
Malware distribution by FIN7 typically involves spear-phishing campaigns as an entry point into target networks. However, recent observations point to the group using malvertising techniques to initiate their attack chains. Microsoft reported instances of attackers using Google ads to entice users into downloading malicious MSIX application packages, leading to the execution of the POWERTRASH PowerShell-based dropper, which loads NetSupport RAT and Gracewire.
In April 2024, eSentire detected FIN7 leveraging deceptive web ads to distribute NetSupport RAT followed by DICELOADER, underscoring the threat posed by the abuse of signed MSIX files by these malicious actors. Additionally, Malwarebytes independently reported similar activities targeting corporate users through malicious ads and modals, mimicking prominent brands like Asana, BlackRock, Google Meet, and The Wall Street Journal.
The discovery of FIN7’s malvertising schemes coincides with the emergence of a SocGholish (FakeUpdates) infection wave designed to target business partners. Attackers behind this campaign utilized living-off-the-land techniques to collect sensitive credentials and map out local and business-to-business relationships for potential exploitation. This development follows a separate malware campaign targeting Windows and Microsoft Office users to propagate RATs and cryptocurrency miners via cracks for popular software applications.
In response to the threat posed by malicious actors like FIN7, Microsoft has disabled the MSIX protocol handler by default, aiming to mitigate the risk associated with the abuse of this vector for malware distribution. As the cybersecurity landscape continues to evolve, organizations must remain vigilant against sophisticated threats orchestrated by threat actors like FIN7, adapting their defense strategies to combat emerging cyber threats effectively.