FIN7 Attack Detection: russia-linked Financially-Motivated Group Exploits Google Ads to Drop NetSupport RAT via MSIX App Installer Files

[post-views]
May 15, 2024 · 3 min read
FIN7 Attack Detection: russia-linked Financially-Motivated Group Exploits Google Ads to Drop NetSupport RAT via MSIX App Installer Files

With the global digitalization of the financial sector, organizations are exposed to escalating risks in numerous sophisticated financially-motivated cyber attacks. Throughout April, cybersecurity researchers have identified a surge in malicious operations attributed to the nefarious russia’s hacking collective known as FIN7 massively targeting organizations worldwide for financial gain. Adversaries have been observed abusing weaponized Google Ads disguised as well-known brands to drop MSIX payloads. 

Detect FIN7 Latest Attacks

The surge in FIN7 financially motivated attacks leads to substantial financial losses, data breaches, and reputational damage for affected organizations. The increasing scope and sophistication of the intrusions highlight the critical importance of robust cybersecurity strategies, proactive threat detection capabilities, and collaboration within the industry to defend against evolving cyber threats and safeguard sensitive data.

SOC Prime Platform for collective cyber defense offers a set of curated Sigma rules addressing the latest surge in cyber attacks exploiting malicious Google Ads to distribute NetSupport RAT malware. All the rules are compatible with 30+ SIEM, EDR, and Data Lake solutions and mapped to the MITRE ATT&CK® framework. To smooth out threat investigation, detections are enriched with extensive metadata, including CTI links, ATT&CK references, and other relevant details. Just hit the Explore Detections button below and immediately drill down to the relevant detection stack.

Explore Detections

Security professionals who are seeking more detection content associated with the FIN7 hacker collective to analyze the attacks retrospectively can browse the Threat Detection Marketplace using the “FIN7” tag.

FIN7 Attack Description Exploiting Sponsored Google Ads

In mid-spring 2024, eSentire’s Threat Response Unit (TRU) observed a series of cyber attacks attributed to FIN7, a financially-motivated group linked to russia that has been in the limelight in the threat landscape for over a decade. 

In the latest campaign, adversaries actively abuse fraudulent websites via sponsored Google Ads masquerading as reputable brands, including AnyDesk, WinSCP, The Wall Street Journal, and Google Meet, to distribute MSIX installers, which further leads to the deployment of NetSupport RAT. 

The infection chain in one of the observed incidents is triggered by a malicious pop-up on the website weaponized by adversaries through sponsored Google Ads, luring victims into downloading a fraudulent browser add-on. The latter appears to be an MSIX file. Other websites operated by FIN7 and disguised as trusted brands leverage URLScan. The MSIX file contains a PowerShell script intended to collect system information and establish communication with a C2 server to fetch another encoded PowerShell script. The latter is used to download and run the NetSupport RAT from the remote server controlled by adversaries.

The infection chain in the second scenario mirrors the first one. The weaponized website meet-go[.]click lures users to download a fraudulent MSIX MeetGo installer, which a couple of hours later delivers NetSupport RAT onto the compromised device. Afterward, adversaries establish a connection to the machine via NetSupport RAT. Hackers achieve persistence using scheduled tasks and proceed with the infection further by spreading another malicious strain tracked as DiceLoader via a Python script. 

To mitigate FIN7 attack risks, defenders recommend always staying vigilant when clicking Google Ads, relying on verified sources for software downloads, and conducting phishing awareness programs for employees organization-wide.

Cyber attacks in which hackers weaponize deceptive websites impersonating trusted brands for financial gain pose challenges to organizations due to their increased sophistication and extensive adversary toolkits, which underscores the need for ultra-responsiveness and the adoption of proactive cybersecurity strategies. By leveraging Attack Detective, security teams can enable smart data orchestration and automate threat hunting capabilities to minimize the risks of potential intrusions in the least time possible while maximizing security investments. 

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts