FIN7 is observed distributing MSIX payloads by impersonating trusted brands and leveraging sponsored Google Ads to drive victims to fake sites that prompt a download. The operation installs NetSupport RAT and DiceLoader via PowerShell loaders, uses signed MSIX files, and includes C2-based downloads, persistence, and data collection with obfuscated payloads.
#FIN7 #NetSupportRAT #DiceLoader #MSIX #AnyDesk #GoogleAds #TheWallStreetJournal #GoogleMeet
#FIN7 #NetSupportRAT #DiceLoader #MSIX #AnyDesk #GoogleAds #TheWallStreetJournal #GoogleMeet
Keypoints
- FIN7 used malicious websites that impersonate well-known brands and sponsored Google Ads to lure victims into downloading a fake MSIX extension.
- The MSIX payloads were signed by “SOFTWARE SP Z O O” and “SOFTWARE BYTES LTD,” highlighting abuse of legitimate certificates.
- Infection Case One delivers NetSupport RAT via a PowerShell payload that collects system info, builds a C2 URL, and downloads and executes the RAT.
- Infection Case Two involves MeetGo via a fake MSIX, uses curl to fetch AD data tools and a zip, then a Python payload to perform process injection (DiceLoader).
- Persistence is established with a scheduled task (MicrosoftWindowsUpdater) to run the Python payload from a staged directory.
- DiceLoader stores its C2 IPs/ports in encrypted form and uses memory injection and thread creation to execute payloads.
- TRU highlights risk from signed MSIX files, deceptive ads, and the need for certificate verification and user caution with pop-ups.
MITRE Techniques
- [T1189] Drive-by Compromise – Users visit a malicious site after seeing sponsored ads; ‘Users visiting the malicious website via sponsored Google Ads would receive a fake pop-up prompting them to download a fake browser extension (Figure 1).’
- [T1566.001] Phishing: Spearphishing Link – The same attack uses links in ads to drive users to malicious content; ‘malicious websites to impersonate well-known brands…’ (referencing deceptive links).
- [T1036] Masquerading – Impersonation of trusted brands to deceive users; ‘malicious websites impersonating trusted brands…’
- [T1116] Code Signing – Signed MSIX payloads to appear legitimate; ‘MSIX files we have observed are signed with “SOFTWARE SP Z O O” and “SOFTWARE BYTES LTD”.’
- [T1059.001] PowerShell – The loader uses a PowerShell script to collect system info, generate a GUID, and fetch a script from C2; ‘The PowerShell script collects system information … and generates a GUID. It then constructs a URL … to download and Base64-decode a script from the C2 server.’
- [T1105] Ingress Tool Transfer – The decoded script downloads the NetSupport RAT from the C2 server; ‘downloads the NetSupport archive from the C2 server using a specific URL format…’
- [T1053.005] Scheduled Task – Persistence via a scheduled task named MicrosoftWindowsUpdater; ‘Schtasks /create /f … /sc minute /mo 1 …’
- [T1055] Process Injection – The decrypted DiceLoader payload is prepared to allocate memory, copy into memory, and execute via a new thread; ‘memory with execute permissions, copy the decrypted payload into memory, and create and execute a new thread that runs the payload.’
- [T1027] Obfuscated/Compressed Files and Information – Decryption/decoding and obfuscation in the payload (lambda-based decryption and zlib decompression); ‘The decrypted output would contain the encrypted DiceLoader payload … XOR’ed with a hardcoded key … zlib decompression to retrieve the original executable content.’
- [T1087] Account Discovery – Data collection from AD via csvde.exe to export computer object details; ‘csvde.exe -r “(&(objectClass=Computer))” -l … -f 01cp.txt’
- [T1027] Obfuscated/Compressed Files and Information – Data exfiltration/compression/encoding steps during the DiceLoader phase; included again for emphasis.
Indicators of Compromise
- [IP Address] C2 communications – 91.219.238.214:4673 (observed; obfuscated as 91.219.238[.]214:4673)
- [Domain] C2/resource domains – cdn46.space (referenced in the payload download URL)
- [Domain] Threat intel reference – urlscan.io (used to identify impersonating sites)
- [File Hash] CSVDE tool – b6f12d39edbfe3b33952be4329064b35 (csvde.exe)
- [File Hash] SSH/EXE payloads – 0740803404a58d9c1c1f4bd9edaf4186 (svchostc.exe)
- [File Hash] Python payload – 782621d1062a8fc7d626ceb68af314e5 (svchostc.py)
- [File] Adobe_017301.zip – MD5 e7b1fb0ef5dd20f4522945b902803f10 (Adobe_017301.zip)
- [File] 01cp.txt – AD data export result
- [File] netsupport – NetSupport RAT payload and related artifacts stored under C:ProgramDatanetsupport