Researchers detail a wave of spear-phishing campaigns that used weaponized Windows 11 Alpha-themed Word documents targeting a US point-of-sale provider, Clearmind. The documents contained Visual Basic macros that dropped malicious payloads, including a JavaScript implant.
Researchers from cybersecurity firm Anomali say with “moderate confidence” the attacks were carried out by a hacker known as FIN7, an Eastern European financially motivated threat actor.
“The specified targeting of the Clearmind domain fits well with FIN7’s preferred modus operandi,” Anomali Threat Research said in a technical analysis published on September 2. “The group’s goal appears to have been to deliver a variation of a JavaScript backdoor used by FIN7 since at least 2018.”
FIN7, which has been active since 2015, specializes in financial exploitation, has a history of targeting restaurant, gambling, and hospitality establishments in the US to steal and later sell sensitive information, such as credit and debit card details.
FIN7 has also been associated with Carbanak, which is a group that mainly focuses on banking institutions.
The latest attack from Anomali uses a Microsoft Word maldoc that’s sent to a recipient with a fake image that’s purported to be made on “Windows 11 Alpha”. It then asks the recipient to enable macros that perform a series of actions, which include retrieving a JavaScript payload. The payload has similar functionality with other backdoors used by FIN7.
Besides trying to prevent detection by populating the code with junk data, this script also tries to terminate itself if it detects virtualized environments. It can also terminate itself upon detecting Russian, Ukrainian, or several other Eastern European languages on the system.
The attribution to FIN7 is based on the overlaps in techniques and victimology used by the attackers.
“FIN7 is one of the most notorious financially motivated groups due to the large amounts of sensitive data they have stolen through numerous techniques and attack surfaces,” the researchers said. “Things have been turbulent for the threat group over the past few years as with success and notoriety comes the ever-watchful eye of the authorities. Despite high-profile arrests and sentencing, including alleged higher-ranking members, the group continues to be as active as ever.”