A financially motivated threat group has been using sophisticated techniques involving malicious Google ads spoofed legitimate brands to deliver MSIX installers that lead to the deployment of the NetSupport remote access trojan (RAT).
Knows as FIN7, Carbon Spider or Sangria Tempest, the group, believed to be Russia-based, has been on operation since at least 2013, using spearphishing attacks as a primary method to infiltrate target networks and systems.
According to a recent report from eSentire's Threat Response Unit (TRU), FIN7 has been leveraging fake websites disguised as well-known brands, including AnyDesk, WinSCP, BlackRock, Asana, Concur, The Wall Street Journal, Workable, and Google Meet, as the primary entry point for its malware campaigns.
FIN7 has adopted a new strategy in recent months by incorporating malvertising techniques, exploiting sponsored Google Ads to lure unsuspecting users. Upon visiting the fake websites, users are prompted with deceptive pop-ups, tricking them into downloading a purported browser extension. However, instead of a legitimate extension, users download an MSIX file containing malicious payloads that ultimately result in the deployment of the NetSupport RAT and DiceLoader malware. These tools allow threat actors to maintain persistent access to compromised systems while evading detection.
The initial MSIX file, signed with “SOFTWARE SP Z O O” and “SOFTWARE BYTES LTD” certificates, acts as a conduit for executing PowerShell scripts, enabling the extraction of system information and establishing communication with remote servers. The researchers said that they submitted the request to GlobalSign to get the certificates successfully revoked.