Fin7 uses Windows 11 themed documents in a spear-phishing campaign

Criminals achieve their goal of delivering a Java Script backdoor variant

Recent spear-phishing campaign weaponized documentsWindows 11 Alpha-themed documents drop a malicious payload of JavaScript implant.

Windows 11 Alpha-themed Word documents with Visual Basic macros dropped malicious payloads, like JavaScript implant, against a point-of-sale (PoS) service provider located in the U.S. This situation adds up to many spear-phishing campaigns of recent times. Attacks occurred between late June to late July 2021 and are attributed to a financially motivated threat actor named FIN7.[1]

Hackers specifically target the Clearmind domain, and that points out the work done by FIN7. Researchers state that threat actors' goal is to deliver a variation of a JavaScript backdoor used by FIN7 since at least 2018. FIN7 is one of the most notorious financially motivated groups due to the large amounts of sensitive data they have stolen through numerous techniques and attack surfaces.[2]

The infection chain began with a Microsoft Word document (.doc) containing a decoy image claiming to have been made with Windows 11 Alpha. The image asks the user to Enable Editing and Enable Content to begin the next stage of activity. However, that is not all the threat. The VB script also checks if it is managing underneath a virtualized natural environment such as VirtualBox and VMWare, and if so, it terminates itself, stopping the infection chain upon detecting Russian, Ukrainian, or another similar language.

FIN7 is a notorious cybergang, often targeting businesses

FIN7 is a widely known group of threat actors. Their goals seem to be financially motivated, and they usually target U.S. retail, restaurant, and hospitality sectors, using point of sale malware. The group is active since at least mid-2015. Their hacks and crimes have also been tied to another cybercrime group called Carbanak. However, while FIN7 focuses on the hospitality and retail sectors, Carbanak has singled out banking institutions.[3]

Both groups use spear-phishing campaigns with attachments that are embedded with exploits as an entry point to the target system. However, with FIN7, the most dangerous thing is the fact that the group seems to be capable of switching up its methods daily—and of rotating its targets at opportune times, shifting from banking to hotels to restaurants with ease.[4]

Even though groups attacks are usually highly successful, they face problems due to officials' interests in their activities in recent times. Things have been turbulent for the threat group as few high-profile arrests have been made, and some of the gangs' members were sentenced to a seven-year term for their role in the cybercriminal group and have been ordered to pay $2.5 million in restitution.[5]

Criminals get more malicious tools and use advanced tactics

In recent years we saw several high-level hacks that threatened the security of major global companies, national safety and put millions of people in a difficult position with stolen data and other leaks. It was proved that personal or business device hacking could cause long-duration damage to national-level infrastructures and private activities, which could overall cause panic within society.[6]

The large worldwide population of hackers and threat groups poses a relatively high threat of an isolated or brief disruption causing serious damage, including extensive property damage, loss of finances and personal data, and in certain instances, even loss of life. As the hacker population grows, so does the likelihood of an exceptionally skilled and malicious hacker attempting and succeeding in such an attack. Hence, further security and alertness are a must.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions