In a concerning development for cybersecurity, a series of spear-phishing attacks have emerged, utilizing weaponized Microsoft Word documents themed around Windows 11 Alpha. Researchers from the cybersecurity firm Anomali reported the campaigns involved Visual Basic macros designed to deploy malicious payloads, including a JavaScript implant, against a point-of-sale (PoS) service provider in the United States.
The timeframe for these attacks is believed to span from late June to late July 2021, with moderate confidence linking them to the financially motivated cybercriminal group known as FIN7. Anomali’s technical analysis, published on September 2, highlighted that the targeting of the Clearmind domain aligns closely with FIN7’s established operational patterns. The objective appears to be the delivery of a variation of a JavaScript backdoor that the group has used since at least 2018.
FIN7 has been active since mid-2015 and has gained notoriety for its focus on the restaurant, gambling, and hospitality sectors within the U.S., where it has stolen sensitive financial information, including credit and debit card numbers. This stolen data is then exploited or sold on underground marketplaces. Despite several arrests of its members earlier this year, the group’s activities have not diminished and continue to evolve.
The mechanics of this recent attack start with a deceptive Microsoft Word document featuring a decoy image falsely claiming to be “made on Windows 11 Alpha.” The document prompts the user to enable macros, leading to the execution of a heavily obfuscated VBA macro. This macro retrieves a JavaScript payload that exhibits similarities to past backdoors associated with FIN7, showcasing persistent attack methodologies. Notably, the malware employs various obfuscation strategies to hinder analysis and criminal investigations.
The tactics and techniques utilized in this attack are reflective of the MITRE ATT&CK framework. The initial access is primarily achieved through the distribution of malicious documents. For persistence, the group likely leveraged the VBA macro capabilities, which enabled the execution of the JavaScript payload. Additionally, the checks within the script to identify virtualized environments suggest a sophisticated approach to maintaining operational security against detection.
In the latest observed incident, the backdoor exhibits protective measures by terminating its operations when executed in virtual environments such as VirtualBox or VMWare. It also halts execution when detecting specific Eastern European languages, indicating the group’s targeted approach to avoiding detection and analysis by potential investigators.
The alignment of this backdoor’s characteristics with FIN7’s established victimology and methodologies further corroborates this attribution. Researchers emphasize that FIN7 remains one of the most formidable threats in the financial cybercrime landscape, continuously leveraging diverse attack vectors to amass vast amounts of sensitive data amid ongoing scrutiny from law enforcement agencies.
The challenges for business owners in safeguarding their operations against such sophisticated threats underscore the importance of robust cybersecurity measures and employee training to recognize and respond to phishing attempts. As the threat landscape evolves, ongoing vigilance and adaptation in cybersecurity strategies remain crucial to defend against potential breaches.
