← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
FIN7 Uses Trusted Brands and Sponsored Google Ads to Distribute MSIX Payloads
In April 2024, eSentire’s Threat Response Unit (TRU) observed multiple incidents involving FIN7, a financially motivated threat group based in Russia that has been active since 2013. The threat actors used malicious websites to impersonate well-known brands, including AnyDesk, WinSCP, BlackRock, Asana, Concur, The Wall Street Journal, Workable, and Google Meet.
Indicators of Compromise (61)
| TYPE | INDICATOR | DESCRIPTION | CREATED | |
|---|---|---|---|---|
| domain | eprst431.boo | — | 2024-05-13 | |
| FileHash-MD5 | 0740803404a58d9c1c1f4bd9edaf4186 | — | 2024-05-13 | |
| FileHash-MD5 | 782621d1062a8fc7d626ceb68af314e5 | — | 2024-05-13 | |
| FileHash-MD5 | b6f12d39edbfe3b33952be4329064b35 | — | 2024-05-13 | |
| FileHash-MD5 | bb0a503a83b1f9833c3d3d08784b78a8 | — | 2024-05-13 | |
| FileHash-MD5 | e7b1fb0ef5dd20f4522945b902803f10 | — | 2024-05-13 | |
| FileHash-SHA1 | 2e810b7759dd5e2de257f0fbaaecb8d6715a4d87 | SHA1 of 0740803404a58d9c1c1f4bd9edaf4186 | 2024-05-13 | |
| FileHash-SHA1 | 5e1eac3596e5a1902d799b687d6009c1f3da0466 | SHA1 of b6f12d39edbfe3b33952be4329064b35 | 2024-05-13 | |
| FileHash-SHA256 | 164a74c996769c9cfc99715e881dca9ca042a05f1d655afebe7ff74dbedf415d | SHA256 of b6f12d39edbfe3b33952be4329064b35 | 2024-05-13 | |
| FileHash-SHA256 | c25ac229d67cc99f5d166287984d80f488cf23c801fbda0bd437d75c36108329 | SHA256 of 0740803404a58d9c1c1f4bd9edaf4186 | 2024-05-13 | |
| URL | http://193.124.24.51:443 | — | 2024-05-13 | |
| URL | http://38.135.52.151:273 | — | 2024-05-13 | |
| domain | 7-zip.cfd | — | 2024-05-13 | |
| domain | advanced-ip-scanner.link | — | 2024-05-13 | |
| domain | advancedipscannerapp.com | — | 2024-05-13 | |
| domain | aimp.day | — | 2024-05-13 | |
| domain | asana.pm | — | 2024-05-13 | |
| domain | asana.tel | — | 2024-05-13 | |
| domain | asana.wf | — | 2024-05-13 | |
| domain | autodesk.pm | — | 2024-05-13 | |
| domain | blackrock.re | — | 2024-05-13 | |
| domain | blackrock.wf | — | 2024-05-13 | |
| domain | cdn1124.net | — | 2024-05-13 | |
| domain | cdn1701.com | — | 2024-05-13 | |
| domain | cdn25.space | — | 2024-05-13 | |
| domain | cdn27.space | — | 2024-05-13 | |
| domain | cdn30.space | — | 2024-05-13 | |
| domain | cdn31.space | — | 2024-05-13 | |
| domain | cdn32.space | — | 2024-05-13 | |
| domain | cdn33.space | — | 2024-05-13 | |
| domain | cdn34.space | — | 2024-05-13 | |
| domain | cdn35.space | — | 2024-05-13 | |
| domain | cdn36.space | — | 2024-05-13 | |
| domain | cdn37.space | — | 2024-05-13 | |
| domain | cdn38.space | — | 2024-05-13 | |
| domain | cdn40.click | — | 2024-05-13 | |
| domain | cdn41.space | — | 2024-05-13 | |
| domain | cdn42.space | — | 2024-05-13 | |
| domain | cdn43.space | — | 2024-05-13 | |
| domain | cdn45.space | — | 2024-05-13 | |
| domain | cdn46.space | — | 2024-05-13 | |
| domain | concur.pm | — | 2024-05-13 | |
| domain | concur.re | — | 2024-05-13 | |
| domain | concur.skin | — | 2024-05-13 | |
| domain | investing.wf | — | 2024-05-13 | |
| domain | lexisnexis.day | — | 2024-05-13 | |
| domain | meet-go.click | — | 2024-05-13 | |
| domain | pgadmin.link | — | 2024-05-13 | |
| domain | quicken-install.com | — | 2024-05-13 | |
| domain | sapconcur.pro | — | 2024-05-13 | |
| domain | vkontakte.in | — | 2024-05-13 | |
| domain | wall-street-journal.link | — | 2024-05-13 | |
| domain | webex-install.com | — | 2024-05-13 | |
| domain | winscp-install.com | — | 2024-05-13 | |
| domain | workday.pm | — | 2024-05-13 | |
| hostname | www.any-connectcisco.com | — | 2024-05-13 | |
| domain | wsj.pm | — | 2024-05-13 | |
| domain | wsj.re | — | 2024-05-13 | |
| domain | wsj.wales | — | 2024-05-13 | |
| domain | wsj.wf | — | 2024-05-13 | |
| hostname | workable.uk.com | — | 2024-05-13 |