Financially motivated threat actors are called Fen 7 It was observed that malicious Google ads were used to deceive legitimate brands as a means of delivering MSIX installers, ultimately deploying the NetSupport RAT.
“Threat actors are using malicious websites to impersonate well-known brands, including AnyDesk, WinSCP, BlackRock, Asana, Concur, The Wall Street Journal, Workable and Google Meet,” cybersecurity firm eSentire said in a report released earlier this week.
FIN7 (also known as Carbon Spider and Sangria Tempest) is an ongoing electronic criminal organization that has been active since 2013, initially dabbling in attacks against point-of-sale (PoS) devices to steal payment data, and later moving to disrupting ransomware campaigns. big company.
Over the years, threat actors have refined their tactics and malware libraries, adopting various custom malware families such as BIRDWATCH, Carbanak, DICELOADER (also known as Lizar and Tirion), POWERPLANT, POWERTRASH, and TERMITE, among others.
FIN7 malware is typically deployed via spear phishing campaigns as a point of entry into a target network or host, although the group has leveraged malvertising techniques to launch attack chains in recent months.
In December 2023, Microsoft said it observed attackers relying on Google ads to lure users to download malicious MSIX application packages, which ultimately led to the execution of POWERTRASH, a PowerShell-based in-memory implant used to load the NetSupport RAT and Gracewire.
“Sangria Storm […] is a financially motivated cybercriminal organization currently focused on conducting intrusions that often result in data theft, followed by targeted ransomware or ransomware deployment, such as Clop ransomware.
Multiple threat actors have abused MSIX as a malware distribution vector (possibly due to its ability to bypass security mechanisms such as Microsoft Defender SmartScreen), prompting Microsoft to disable the protocol handler by default.
In an attack observed by eSentire in April 2024, users who visited a fake website through a Google ad were shown a pop-up message urging them to download a fake browser extension, which was an MSIX file containing a PowerShell script. , which in turn collects system information and contacts the remote server to obtain another encoded PowerShell script.
The second PowerShell payload is used to download and execute the NetSupport RAT from a server controlled by the actor.
The Canadian cybersecurity company said it has also detected remote access Trojans being used to deliver other malware, including DICELOADER, which is delivered via a Python script.
eSentire said: “The incident of FIN7 leveraging a trusted brand name and using deceptive online advertising to distribute NetSupport RAT and then DICELOADER highlights the ongoing threat, particularly the misuse of signed MSIX files by these actors, which has been shown to What works in their plan.
Similar findings were independently reported by Malwarebytes, which described the campaign as targeting corporate users through malicious ads and patterns that imitate well-known brands such as Asana, BlackRock, CNN, Google Meet, SAP and the Wall Street Journal. However, the company did not blame FIN7 for this activity.
Information about the FIN7 malvertising program coincides with a wave of SocGholish (also known as FakeUpdates) infections aimed at targeting business partners.
“Adversaries are using off-the-ground techniques to collect sensitive credentials, specifically configuring web beacons in email signatures and network shares to map local and business-to-business relationships,” eSentire said. “This behavior demonstrates an interest in exploiting These relationships are used to target interested business partners.”
Malware campaigns targeting Windows and Microsoft Office users have also been discovered previously, using cracks on popular software to spread RATs and cryptocurrency mining programs.
Broadcom-owned Symantec said: “Once malware is installed, it often registers commands with the task scheduler to maintain persistence, allowing new malware to continue to be installed even after removal.”
