Hackers take advantage of sponsored Google Ads as they provide an excellent chance to reach a large audience quickly.
Injecting malicious links or content into sponsored ads can mislead users into clicking on them, potentially causing malware infections or phishing schemes.
eSentire’s 24/7 SOCs, staffed with elite threat hunters and analysts, rapidly detect, investigate, and respond to threats around the clock has uncovered dangerous threats like the Kaseya breach and more_eggs malware.
Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers
Recently, eSentire’s Threat Response Unit (TRU) discovered that FIN7 hackers have been actively abusing the sponsored Google Ads to deliver MSIX payloads.
In April 2024, eSentire’s Threat Response Unit (TRU) detected multiple incidents involving the Russian financially motivated threat group FIN7.
The actors used malicious websites impersonating major brands like AnyDesk, WinSCP, and Google Meet to deliver NetSupport RAT and DiceLoader malware.
Victims were lured via sponsored Google Ads to download fake browser extensions disguised as signed MSIX files from “SOFTWARE SP Z O O” and “SOFTWARE BYTES LTD” fronts. While eSentire successfully revoked the malicious certificates from GlobalSign.
These three components, as shown in the MSIX file, would collect system information, record antivirus software titles, and generate GUIDs to create C2 URLs and get extra scripts.
When the server response contained “usradm”, it went on to download NetSupport RAT payloads through specific url formats and user agents.
The downloaded NetSupport archive was extracted to C:ProgramDatanetsupport, where FIN7 executed its RAT executable as a demonstration of their multi-stage infection chain.
The second incident involved a user downloading a fake MSIX “MeetGo” installer, which dropped NetSupport RAT.
Hours later, the threat actor connected via the RAT, used csvde.exe to export Active Directory computer data and downloaded an “Adobe_017301.zip” archive containing svchostc.exe (renamed python.exe) and svchostc.py (Python payload).
After reconnaissance, a scheduled task was created to persist svchostc.py, which decrypted and injected the DiceLoader malware into memory, communicating with XOR-encrypted C2s embedded in its data section.
This exemplifies FIN7’s abuse of trusted brands, signed MSIX files, and multi-stage payloads like NetSupport RAT, leading to DiceLoader.
Recommendations
Here below we have mentioned all the recommendations:-
- Deploy Endpoint Detection and Response (EDR) solutions across all devices.
- Implement Phishing and Security Awareness Training (PSAT) program.
- Control MSIX execution via AppLocker policies.
- Report incidents of certificate misuse by threat actors.
Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide