Standard security tools are powerless against sophisticated tactics of intruders.
eSentire has reported a new wave of attacks by the hacker group FIN7, which used disguises under well-known brands to spread malware. The target of the attacks were users who clicked through fake Google ads to web pages that mimic legitimate sites.
According to the report, the FIN7 group, also known as Carbon Spider and Sangria Tempest, which has been active since 2013, initially attacked retail outlets to steal payment data, and later began to carry out attacks using ransomware. The group used a number of proprietary malware programs, including BIRDWATCH and Carbanak.
In recent months, FIN7 has started using the "malvertising" technique, which has led to the proliferation of MSIX installers through fake advertising. These installers activate PowerShell scripts, which ultimately triggers remote access and management of infected hosts via NetSupport RAT.
Microsoft noted that using MSIX as a malware distribution channel makes it easier to bypass security mechanisms such as the Microsoft Defender SmartScreen, which prompted the company to deactivate this protocol handler by default.
In April 2024, according to eSentire, victims on fake sites were asked to download a bogus browser extension, which is another way to collect information about the system and then download malware.
eSentire experts also discovered the use of this Trojan for further installation of other malware, including DICELOADER. These findings are supported by reports from Malwarebytes, which claim that the attacks target corporate users deceived by disguising themselves as high-profile brands.
In parallel with the news about the FIN7 malvertising campaign, another attack was revealed aimed at Windows and Microsoft Office users in order to distribute RAT and cryptocurrency miners through the cracks of popular programs.
Symantec reports that the malware installed in this way registers commands in the task scheduler, which allows you to maintain its activity even after removal. This creates additional risks for corporate security.
eSentire has reported a new wave of attacks by the hacker group FIN7, which used disguises under well-known brands to spread malware. The target of the attacks were users who clicked through fake Google ads to web pages that mimic legitimate sites.
According to the report, the FIN7 group, also known as Carbon Spider and Sangria Tempest, which has been active since 2013, initially attacked retail outlets to steal payment data, and later began to carry out attacks using ransomware. The group used a number of proprietary malware programs, including BIRDWATCH and Carbanak.
In recent months, FIN7 has started using the "malvertising" technique, which has led to the proliferation of MSIX installers through fake advertising. These installers activate PowerShell scripts, which ultimately triggers remote access and management of infected hosts via NetSupport RAT.
Microsoft noted that using MSIX as a malware distribution channel makes it easier to bypass security mechanisms such as the Microsoft Defender SmartScreen, which prompted the company to deactivate this protocol handler by default.
In April 2024, according to eSentire, victims on fake sites were asked to download a bogus browser extension, which is another way to collect information about the system and then download malware.
eSentire experts also discovered the use of this Trojan for further installation of other malware, including DICELOADER. These findings are supported by reports from Malwarebytes, which claim that the attacks target corporate users deceived by disguising themselves as high-profile brands.
In parallel with the news about the FIN7 malvertising campaign, another attack was revealed aimed at Windows and Microsoft Office users in order to distribute RAT and cryptocurrency miners through the cracks of popular programs.
Symantec reports that the malware installed in this way registers commands in the task scheduler, which allows you to maintain its activity even after removal. This creates additional risks for corporate security.
