FIN7 Hacker Group: Leveraging Malicious Google Ads To Deploy NetSupport RAT

FIN7 Hacker Group: Leveraging Malicious Google Ads To Deploy NetSupport RAT

Published on May 16th, 2024

The notorious FIN7 cybercriminal group is back in the news, this time for employing malicious Google Ads to dupe users into downloading malware disguised as legitimate software.

FIN7: A Persistent Threat Actor

FIN7 (also known as Carbon Spider and Sangria Tempest) is a well-established financially motivated threat group active since 2013.

Initially targeting point-of-sale (PoS) systems to steal payment information, they’ve since evolved to target large organizations with ransomware attacks.

FIN7 possesses a diverse malware arsenal, including BIRDWATCH, Carbanak, DICELOADER, POWERPLANT, POWERTRASH, and TERMITE.

Traditionally, FIN7 relied on spear-phishing campaigns to gain access to target networks.

However, recent observations suggest a shift towards malvertising techniques to initiate attacks.

Malicious Ads Dropping NetSupport RAT

In December 2023, Microsoft identified FIN7 using Google Ads to distribute malicious MSIX application packages.

These packages deployed POWERTRASH, a PowerShell-based dropper, which ultimately loaded NetSupport RAT and Gracewire malware.

NetSupport RAT grants remote access to attackers, enabling them to steal data or deploy further malicious tools.

The abuse of MSIX as a malware delivery method proved effective for FIN7, prompting Microsoft to disable the MSIX protocol handler by default.

FIN7’s Latest Malvertising Techniques

In April 2024, eSentire discovered a new FIN7 malvertising campaign. Here’s how it works:

  1. Deceptive Google Ads: Users are lured to bogus websites impersonating well-known brands like AnyDesk, WinSCP, BlackRock, Asana, and The Wall Street Journal.
  2. Phony Browser Extension Download: A pop-up on the fake site prompts users to download a malicious MSIX file disguised as a browser extension.
  3. Information Gathering and Payload Delivery: The MSIX file executes a PowerShell script that gathers system information and retrieves another encoded PowerShell script from a remote server.
  4. NetSupport RAT Deployment: The second PowerShell script downloads and installs NetSupport RAT, granting the attacker remote access to the compromised system.
  5. Additional Malware Delivery: The researchers also observed FIN7 using NetSupport RAT to deploy DICELOADER malware through a Python script.

This campaign highlights the ongoing threat posed by FIN7’s abuse of trusted brands and signed MSIX files for malware distribution.

Key Takeaways

  • FIN7 is a persistent threat actor that adapts its tactics to evade detection.
  • Malvertising is becoming a prominent attack vector for FIN7.
  • Abusing trusted brands and signed applications increases the success rate of malware campaigns.