Phone : +91 95 8290 7788 | Email : sales@itmonteur.net

Register & Request Quote | Submit Support Ticket

Home » Cyber Security News » Vulnerabilities & Exploits » FIN7 Hacker Group Leverages Malicious Google Ads to Deliver NetSupport RAT

FIN7 Hacker Group Leverages Malicious Google Ads to Deliver NetSupport RAT

FIN7 Hacker Group Leverages Malicious Google Ads to Deliver NetSupport RAT

https://firewall.firm.in/wp-content/uploads/2024/05/browser.png

FIN7 Hacker Group

The financially motivated threat actor known as FIN7 has been observed leveraging malicious Google ads spoofing legitimate brands as a means to deliver MSIX installers that culminate in the deployment of NetSupport RAT.

“The threat actors used malicious websites to impersonate well-known brands, including AnyDesk, WinSCP, BlackRock, Asana, Concur, The Wall Street Journal, Workable, and Google Meet,” cybersecurity firm eSentire said in a report published earlier this week.

FIN7 (aka Carbon Spider and Sangria Tempest) is a persistent e-crime group that’s been active since 2013, initially dabbling in attacks targeting point-of-sale (PoS) devices to steal payment data, before pivoting to breaching large firms via ransomware campaigns.

Cybersecurity

Over the years, the threat actor has refined its tactics and malware arsenal, adopting various custom malware families such as BIRDWATCH, Carbanak, DICELOADER (aka Lizar and Tirion), POWERPLANT, POWERTRASH, and TERMITE, among others.

FIN7 malware is commonly deployed through spear-phishing campaigns as an entry to the target network or host, although in recent months the group has utilized malvertising techniques to initiate the attack chains.

In December 2023, Microsoft said it observed the attackers relying on Google ads to lure users into downloading malicious MSIX application packages, which ultimately led to the execution of POWERTRASH, a PowerShell-based in-memory dropper that’s used to load NetSupport RAT and Gracewire.

“Sangria Tempest […] is a financially motivated cybercriminal group currently focusing on conducting intrusions that often lead to data theft, followed by targeted extortion or ransomware deployment such as Clop ransomware,” the tech giant noted at the time.

The abuse of MSIX as a malware distribution vector by multiple threat actors — likely owing to its ability to bypass security mechanisms like Microsoft Defender SmartScreen — has since prompted Microsoft to disable the protocol handler by default.

FIN7 Hacker Group

In the attacks observed by eSentire in April 2024, users who visit the bogus sites via Google ads are displayed a pop-up message urging them to download a phony browser extension, which is an MSIX file containing a PowerShell script that, in turn, gathers system information and contacts a remote server to fetch another encoded PowerShell script.

The second PowerShell payload is used to download and execute the NetSupport RAT from an actor-controlled server.

The Canadian cybersecurity company said it also detected the remote access trojan being used to deliver additional malware, which includes DICELOADER by means of a Python script.

“The incidents of FIN7 exploiting trusted brand names and using deceptive web ads to distribute NetSupport RAT followed by DICELOADER highlight the ongoing threat, particularly with the abuse of signed MSIX files by these actors, which has proven effective in their schemes,” eSentire said.

Similar findings have been independently reported by Malwarebytes, which characterized the activity as singling out corporate users via malicious ads and modals by mimicking high-profile brands like Asana, BlackRock, CNN, Google Meet, SAP, and The Wall Street Journal. It, however, did not attribute the campaign to FIN7.

Cybersecurity

News of FIN7’s malvertising schemes coincides with a SocGholish (aka FakeUpdates) infection wave that’s designed to target business partners.

“Attackers used living-off-the-land techniques to collect sensitive credentials, and notably, configured web beacons in both email signatures and network shares to map out local and business-to-business relationships,” eSentire said. “This behavior would suggest an interest in exploiting these relationships to target business peers of interest.”

It also follows the discovery of a malware campaign targeting Windows and Microsoft Office users to propagate RATs and cryptocurrency miners via cracks for popular software.

“The malware, once installed, often registers commands in the task scheduler to maintain persistence, enabling continuous installation of new malware even after removal,” Broadcom-owned Symantec said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.


Information Security - InfoSec - Cyber Security - Firewall Providers Company in India

 

 

 

 

 

 

 

 

 

 

 

 

What is Firewall? A Firewall is a network security device that monitors and filters incoming and outgoing network traffic based on an organization's previously established security policies. At its most basic, a firewall is essentially the barrier that sits between a private internal network and the public Internet.

 

Secure your network at the gateway against threats such as intrusions, Viruses, Spyware, Worms, Trojans, Adware, Keyloggers, Malicious Mobile Code (MMC), and other dangerous applications for total protection in a convenient, affordable subscription-based service. Modern threats like web-based malware attacks, targeted attacks, application-layer attacks, and more have had a significantly negative effect on the threat landscape. In fact, more than 80% of all new malware and intrusion attempts are exploiting weaknesses in applications, as opposed to weaknesses in networking components and services. Stateful firewalls with simple packet filtering capabilities were efficient blocking unwanted applications as most applications met the port-protocol expectations. Administrators could promptly prevent an unsafe application from being accessed by users by blocking the associated ports and protocols.

 

Firewall Firm is an IT Monteur Firewall Company provides Managed Firewall Support, Firewall providers , Firewall Security Service Provider, Network Security Services, Firewall Solutions India , New Delhi - India's capital territory , Mumbai - Bombay , Kolkata - Calcutta , Chennai - Madras , Bangaluru - Bangalore , Bhubaneswar, Ahmedabad, Hyderabad, Pune, Surat, Jaipur, Firewall Service Providers in India

Sales Number : +91 95 8290 7788 | Support Number : +91 94 8585 7788
Sales Email : sales@itmonteur.net | Support Email : support@itmonteur.net

Register & Request Quote | Submit Support Ticket