Google Ads Weaponized: FIN7 Targets Users with Malicious Brand Impersonations

eSentire has reported a new wave of attacks by the FIN7 hacker group, which has disguised itself as well-known brands to distribute malware. The attacks targeted users who clicked on fake ads in Google, leading them to web pages that mimicked legitimate sites.

According to the report, the FIN7 group, also known as Carbon Spider and Sangria Tempest, has been active since 2013. Initially, they attacked retail locations to steal payment data, later shifting to ransomware attacks. The group has employed a range of proprietary malware, including BIRDWATCH and Carbanak.

Contents of the malicious MSIX file

In recent months, FIN7 has adopted a “malvertising” technique, resulting in the spread of MSIX installers through fake advertisements. These installers activate PowerShell scripts, ultimately leading to remote access and control of the infected host via NetSupport RAT.

Microsoft noted that using MSIX as a malware distribution channel facilitates bypassing protective mechanisms such as Microsoft Defender SmartScreen, prompting the company to disable this protocol handler by default.

In April 2024, eSentire reported that victims on fake sites were prompted to download a fictitious browser extension, another method for gathering system information and subsequently deploying malware.

eSentire experts also discovered the use of this Trojan for further installation of other malware, including DICELOADER. These findings are corroborated by Malwarebytes reports, which state that the attacks target corporate users deceived by high-profile brand impersonations.

Alongside the news of FIN7’s malvertising campaign, another attack was identified, targeting Windows and Microsoft Office users to spread RATs and cryptocurrency miners through cracks of popular software.

Symantec reports that the malware installed in this manner registers commands in the task scheduler, allowing it to remain active even after removal, posing additional risks to corporate security.