The financially motivated threat actor known as FIN7 has been observed leveraging malicious Google ads spoofing legitimate brands as a means to deliver MSIX installers that culminate in the deployment of NetSupport RAT.
“The threat actors used malicious websites to impersonate well-known brands, including AnyDesk, WinSCP, BlackRock, Asana, Concur, The Wall Street Journal, Workable, and Google Meet,” cybersecurity firm eSentire said in a report published earlier this week.
FIN7 (aka Carbon Spider and Sangria Tempest) is a persistent e-crime group that’s been active since 2013, initially dabbling in attacks targeting point-of-sale (PoS) devices to steal payment data, before pivoting to breaching large firms via ransomware campaigns.
Over the years, the threat actor has refined its tactics and malware arsenal, adopting various custom malware families such as BIRDWATCH, Carbanak, DICELOADER (aka Lizar and Tirion), POWERPLANT, POWERTRASH, and TERMITE, among others.
FIN7 malware is commonly deployed through spear-phishing campaigns as an entry to the target network or host, although in recent months the group has utilized malvertising techniques to initiate the attack chains.
In December 2023, Microsoft said it observed the attackers relying on Google ads to lure users into downloading malicious MSIX application packages, which ultimately led to the execution of POWERTRASH, a PowerShell-based in-memory dropper that’s used to load NetSupport RAT and Gracewire.
“Sangria Tempest […] is a financially motivated cybercriminal group currently focusing on conducting intrusions that often lead to data theft, followed by targeted extortion or ransomware deployment such as Clop ransomware,” the tech giant noted at the time.
The abuse of MSIX as a malware distribution vector by multiple threat actors — likely owing to its ability to bypass security mechanisms like Microsoft Defender SmartScreen — has since prompted Microsoft to disable the protocol handler by default.
In the attacks observed by eSentire in April 2024, users who visit the bogus sites via Google ads are displayed a pop-up message urging them to download a phony browser extension, which is an MSIX file containing a PowerShell script that, in turn, gathers system information and contacts a remote server to fetch another encoded PowerShell script.
The second PowerShell payload is used to download and execute the NetSupport RAT from an actor-controlled server.
The Canadian cybersecurity company said it also detected the remote access trojan being used to deliver additional malware, which includes DICELOADER by means of a Python script.
“The incidents of FIN7 exploiting trusted brand names and using deceptive web ads to distribute NetSupport RAT followed by DICELOADER highlight the ongoing threat, particularly with the abuse of signed MSIX files by these actors, which has proven effective in their schemes,” eSentire said.
Similar findings have been independently reported by Malwarebytes, which characterized the activity as singling out corporate users via malicious ads and modals by mimicking high-profile brands like Asana, BlackRock, CNN, Google Meet, SAP, and The Wall Street Journal. It, however, did not attribute the campaign to FIN7.
News of FIN7’s malvertising schemes coincides with a SocGholish (aka FakeUpdates) infection wave that’s designed to target business partners.
“Attackers used living-off-the-land techniques to collect sensitive credentials, and notably, configured web beacons in both email signatures and network shares to map out local and business-to-business relationships,” eSentire said. “This behavior would suggest an interest in exploiting these relationships to target business peers of interest.”
It also follows the discovery of a malware campaign targeting Windows and Microsoft Office users to propagate RATs and cryptocurrency miners via cracks for popular software.
“The malware, once installed, often registers commands in the task scheduler to maintain persistence, enabling continuous installation of new malware even after removal,” Broadcom-owned Symantec said.