eSentire's Threat Response Unit (TRU) has uncovered a series of incidents involving the notorious Russian threat group FIN7. These financially motivated actors have adopted a cunning approach, leveraging malicious Google ads to distribute NetSupport RAT through deceptive means.

In April 2024, FIN7 executed its campaign by creating malicious websites that posed as well-known brands, including AnyDesk, WinSCP, and Google Meet. These sites acted as fronts for their nefarious activities. By exploiting unsuspecting victims, they successfully disseminated malware, including NetSupport RAT and DiceLoader.

Victims were lured in through sponsored Google Ads, which enticed them to download seemingly legitimate browser extensions. These extensions, however, were cleverly disguised as signed MSIX files associated with entities named "SOFTWARE SP Z O O" and "SOFTWARE BYTES LTD." The unsuspecting users unwittingly installed these fake extensions, unknowingly inviting malicious code onto their systems.

eSentire swiftly mitigated the impact by revoking the malicious certificates issued by GlobalSign, preventing further exploitation by the threat actors.

In a separate incident, a user fell victim to a fake "MeetGo" MSIX installer, ultimately leading to NetSupport RAT's deployment. The threat actor then used csvde.exe to extract Active Directory data and downloaded an archive named "Adobe_017301.zip". Inside this archive, they found svchostc.exe (renamed as python.exe) and svchostc.py, likely intended for further malicious actions.