May 11, 2024 at 03:45AM
FIN7, a financially motivated threat actor, has used malicious Google ads to imitate reputable brands, such as AnyDesk and Google Meet, to spread the NetSupport RAT. The group has evolved from targeting point-of-sale systems to launching ransomware campaigns and has expanded its malware arsenal. This activity has prompted Microsoft to disable the MSIX protocol handler.
Key takeaways from the meeting notes include:
– The financially motivated threat actor FIN7 has been using malicious Google ads to distribute NetSupport RAT and other malware by spoofing well-known brands, including AnyDesk, WinSCP, Asana, and Google Meet.
– The group has evolved from targeting point-of-sale devices to launching ransomware campaigns and leveraging various custom malware families such as BIRDWATCH, Carbanak, and DICELOADER.
– Microsoft has observed attackers utilizing malvertising techniques to distribute malicious MSIX application packages, prompting the company to disable the MSIX protocol handler by default.
– FIN7 has been exploiting trusted brand names and using deceptive web ads to distribute NetSupport RAT followed by DICELOADER, highlighting the ongoing threat posed by the abuse of signed MSIX files.
– The malvertising schemes coincide with a SocGholish infection wave targeting business partners and a malware campaign targeting Windows and Microsoft Office users to propagate RATs and cryptocurrency miners via software cracks.