The Rise of Malvertising Attacks by FIN7

The notorious cybercrime group FIN7, also known as Carbon Spider and Sangria Tempest, has recently been observed for its innovative use of malicious Google ads. These ads, which mimic well-known brands, are part of a sophisticated scheme to deploy harmful software, including the NetSupport Remote Access Trojan (RAT).

The Evolution of FIN7’s Cyber Tactics

Originally known for targeting point-of-sale (PoS) systems to steal payment data, FIN7 has significantly evolved its approach. Since 2013, the group has expanded into ransomware attacks on large corporations and refined its arsenal of custom malware. According to cybersecurity experts at eSentire, this includes various malware families like BIRDWATCH, Carbanak, and DICELOADER.

“The threat actors used malicious websites to impersonate well-known brands, including AnyDesk, WinSCP, BlackRock, Asana, Concur, The Wall Street Journal, Workable, and Google Meet,” cybersecurity firm eSentire said in a report published earlier this week. Over recent months, FIN7 has shifted towards using malvertising – a technique that utilizes legitimate advertising networks to push malicious content. 

A malicious site impersonating a well-known brand (Source: eSentire)

In a report released by Microsoft in December 2023, it was observed that these criminals were employing Google ads to trick users into downloading deceptive MSIX application packages. This maneuver led to the installation of POWERTRASH, a PowerShell-based dropper that facilitates the deployment of NetSupport RAT and other harmful software such as Gracewire.

A Closer Look at the Malicious Campaigns

In April 2024, attacks involving these tactics were observed by eSentire. Users who clicked on these deceptive Google ads were greeted with a pop-up, urging them to download a fraudulent browser extension. 

This file, an MSIX containing a PowerShell script, collects system information and reaches out to a remote server to retrieve additional malicious scripts. This secondary payload is responsible for downloading and executing the NetSupport RAT from a server controlled by the attackers.

PowerShell Payload snippet (Source: eSentire)

This RAT is then used to introduce further malware into the system, including DICELOADER, which is delivered via a Python script. The integration of legitimate brands and the exploitation of signed MSIX files have markedly boosted the efficacy of FIN7’s malicious campaigns.

Similar activities have been independently documented by Malwarebytes, which noted that these attacks predominantly target corporate users by posing as high-profile brands. However, Malwarebytes did not specifically link these activities to FIN7.

These developments are occurring alongside other troubling cyber threats like the SocGholish infection wave, which targets business partnerships through sophisticated techniques. Moreover, a recent discovery by Symantec revealed a campaign aimed at Windows and Microsoft Office users, distributing RATs and cryptocurrency miners through cracked software.

Final Word

As cyber threats evolve, staying informed about groups like FIN7 is crucial. Awareness and proactive measures can significantly mitigate risks posed by such sophisticated malvertising campaigns.