Analysis Summary

The financially motivated threat actor known as FIN7 has been seen distributing MSIX installers that ultimately lead to NetSupport RAT deploying malicious Google advertising that mimics reputable companies.

Since 2013, FIN7, also known as Carbon Spider and Sangria Tempest, has been operating as a persistent cybercrime group. Initially, the group focused on stealing payment data from point-of-sale (PoS) systems but then switched their focus to ransomware campaigns that compromised major corporations. The threat actor has improved its strategies and malware library over time, utilizing several unique malware families, including TERMITE, POWERPLANT, DICELOADER (also known as Lizar and Tirion), BIRDWATCH, Carbanak, and POWERTRASH.

The researchers said, “The threat actors used malicious websites to impersonate well-known brands, including AnyDesk, WinSCP, BlackRock, Asana, Concur, The Wall Street Journal, Workable, and Google Meet.”

Although the gang has recently started using malvertising techniques to start the attack chains, FIN7 malware is typically transmitted through spear-phishing efforts as an access point into the target network or host. Microsoft said in December 2023 that it has seen attackers using Google advertisements to trick people into downloading malicious MSIX application packages.

This ultimately resulted in the execution of POWERTRASH, an in-memory dropper powered by PowerShell that loads Gracewire and NetSupport RAT. Because MSIX can get beyond security measures like Microsoft Defender SmartScreen, it has been exploited by many threat actors as a malware distribution vector. As a result, Microsoft disabled the protocol handler by default.

A pop-up message encouraging users to download a fake browser extension—an MSIX file containing a PowerShell script—is displayed to victims of the April 2024 attacks who visited the bogus websites through Google ads. This script gathers system information and contacts a remote server to retrieve another encoded PowerShell script.

The NetSupport RAT is downloaded and run from an actor-controlled server using the second PowerShell payload. According to the researchers, they also discovered that DICELOADER is being distributed by a Python script using a remote access trojan. The instances in which FIN7 used reputable brand names as a means of distribution and used online advertisements to spread NetSupport RAT and DICELOADER underscore the persistent threat, especially in light of these threat actors' successful usage of signed MSIX files in their schemes.

Other cyber security experts have separately confirmed similar discoveries, characterizing the behavior as imitating well-known businesses including Asana, BlackRock, CNN, Google Meet, SAP, and The Wall Street Journal to target corporate customers with malicious advertising and models specifically. The disclosure of FIN7's deceptive marketing tactics aligns with a surge of SocGholish, also known as FakeUpdates, malware intended to compromise business associates.

The attackers employed stealth tactics to get confidential login credentials. Moreover, they set up web beacons in network shares and email signatures to map out local and business-to-business connections. This conduct would imply a desire to make use of these connections to target relevant business peers.

It also comes after a malware campaign that used exploits for well-known software to spread RATs and cryptocurrency miners among Windows and Microsoft Office users was discovered. Once installed, the malware frequently stores commands in the task scheduler to ensure persistence, allowing for the installation of additional malware to continue even after removal.

Impact

• Security Bypass
• Financial Loss
• Sensitive Data Theft

Indicators of Compromise

Domain Name

• cdn41.space
• cdn40.click
• eprst431.boo
• cdn1124.net
• cdn1701.com
• sapconcur.pro
• concur.pm
• advancedipscannerapp.com
• advanced-ip-scanner.link

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Ensure that all operating systems, software, and applications are regularly updated with the latest security patches.
• Conduct regular security awareness training for users to recognize and avoid phishing emails.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Implement network segmentation to limit lateral movement within the network.
• Implement continuous monitoring of network traffic and endpoint activities to detect any unusual or suspicious behavior.
• Develop and regularly test an incident response plan to ensure a swift and effective response in case of a security incident.
• Implement SIEM solutions to centralize log collection and analysis. This can help in identifying patterns of suspicious behavior and provide timely alerts for potential security incidents.
• Regularly back up critical data and ensure that the backup copies are stored securely.