FIN7 Uses Malicious Google Ads to Spread NetSupport RAT

The notorious hacker group FIN7 has been exploiting Google ads to distribute MSIX installers, ultimately deploying NetSupport RAT. According to a recent report, these malicious ads mimic reputable brands like AnyDesk, WinSCP, BlackRock, Asana, Concur, The Wall Street Journal, Workable, and Google Meet.

FIN7, also known as Carbon Spider and Sangria Tempest, has been active since 2013. The group initially focused on stealing payment data from point-of-sale (PoS) devices but has since shifted to large-scale ransomware campaigns. Over the years, FIN7 has developed a sophisticated arsenal of custom malware, including BIRDWATCH, Carbanak, DICELOADER (also known as Lizar and Tirion), POWERPLANT, POWERTRASH, and TERMITE.

Traditionally, FIN7 has used spear-phishing to infiltrate target networks. However, recent months have seen a pivot to malvertising tactics. In December 2023, Microsoft reported that FIN7 was using Google ads to trick users into downloading malicious MSIX application packages. These packages deploy POWERTRASH, a PowerShell-based dropper, which then loads NetSupport RAT and Gracewire.

“Sangria Tempest is a financially motivated cybercriminal group currently focusing on intrusions leading to data theft and extortion or ransomware attacks, such as Clop ransomware,” Microsoft noted.

Microsoft has since disabled the MSIX protocol handler by default to counter its abuse as a malware distribution vector. Despite this, eSentire observed that in April 2024, FIN7’s bogus sites, accessed via Google ads, prompted users to download a fake browser extension. This extension, an MSIX file containing a PowerShell script, gathers system information and contacts a remote server to fetch another encoded PowerShell script. This second script downloads and executes NetSupport RAT from an actor-controlled server.

The remote access trojan was used to deliver additional malware, including DICELOADER, via a Python script. The company’s report highlights the ongoing threat posed by FIN7’s use of trusted brand names and deceptive web ads to distribute malware.

The malicious ads targeted corporate users by mimicking high-profile brands such as Asana, BlackRock, CNN, Google Meet, SAP, and The Wall Street Journal, though it did not specifically attribute the campaign to FIN7.

These malvertising schemes by FIN7 align with a broader trend of using SocGholish (aka FakeUpdates) infections to target business partners. Attackers collect sensitive credentials using “living-off-the-land” techniques and configure web beacons in email signatures and network shares to map out local and business-to-business relationships, suggesting an interest in exploiting these connections.

Additionally, there have been reports of malware campaigns targeting Windows and Microsoft Office users with RATs and cryptocurrency miners via software cracks. Once installed, this malware often registers commands in the task scheduler to maintain persistence, allowing continuous installation of new malware even after attempts at removal.

To prevent falling victim to these FIN7 attacks, users and organizations should implement robust security measures such as using ad blockers to prevent exposure to malicious ads, ensuring that their security software is up-to-date, and educating employees about the risks of clicking on ads or downloading software from untrusted sources. Additionally, configuring network security protocols to detect and block unusual traffic patterns and employing multi-factor authentication (MFA) can help mitigate the impact of potential breaches.