FIN7, a financially motivated threat actor, has been identified utilizing malicious Google ads to impersonate reputable brands in order to distribute NetSupport RAT through MSIX installers. This tactic was uncovered by cybersecurity firm eSentire, which revealed that the threat actors created fraudulent websites mimicking well-known brands like AnyDesk, BlackRock, and Google Meet to deceive users into downloading malicious files.
The group behind FIN7, also known as Carbon Spider and Sangria Tempest, has been active since 2013. Initially focusing on attacks targeting point-of-sale devices for stealing payment data, FIN7 later switched to breaching large organizations through ransomware campaigns. Over the years, they have refined their tactics and expanded their malware arsenal to include custom families such as BIRDWATCH, Carbanak, and POWERTRASH.
While FIN7 commonly deploys malware through spear-phishing campaigns, they have recently incorporated malvertising techniques to initiate attacks. In December 2023, Microsoft observed the group leveraging Google ads to distribute malicious MSIX application packages, ultimately leading to the deployment of NetSupport RAT and other malware like DICELOADER.
eSentire’s analysis of the April 2024 attacks revealed that users who visited the fake websites via Google ads were prompted to download a phony browser extension, which contained a PowerShell script to establish communication with a remote server. This script then fetched another encoded PowerShell payload to download and execute NetSupport RAT. Additionally, DICELOADER was delivered using a Python script alongside the trojan.
The use of signed MSIX files by FIN7 has proven to be effective in their malicious schemes, prompting Microsoft to disable the protocol handler by default. Similar findings were reported by Malwarebytes, highlighting the targeting of corporate users through deceptive ads mimicking brands like Asana and CNN.
These malvertising campaigns coincide with a wave of SocGholish infections targeting business partners and a malware campaign exploiting Windows and Microsoft Office users through software cracks. The attackers behind these campaigns are utilizing various techniques to gather sensitive credentials and establish persistence to continue distributing malware even after removal.
Overall, the evolving tactics of threat actors like FIN7 underscore the importance of vigilance and cybersecurity measures to protect against sophisticated attacks aimed at compromising systems and stealing sensitive data. It is crucial for organizations and individuals to stay informed about emerging threats and take proactive steps to safeguard their digital assets.