Jump to content
  • Watch out for new malware campaign’s 'Windows 11 Alpha' attachment


    Karlston

    • 825 views
    • 4 minutes
     Share


    • 825 views
    • 4 minutes

    Relying on a simple recipe that has proved successful time and time again, threat actors have deployed a malware campaign recently that used a Windows 11 theme to lure recipients into activating malicious code placed inside Microsoft Word documents.

     

    Security researchers believe that the adversary behind the campaign may be the FIN7 cybercrime group, also known as Carbanak and Navigator, that specializes in stealing payment card data.

    Tried and tested method

    The adversary took advantage of the buzz created around the details for Microsoft’s development of its next operating system release, which started in early June.

     

    Cybercriminals laced Microsoft Word documents with macro code that ultimately downloads a JavaScript backdoor that lets the attacker deliver any payload they want.

     

    Researchers at cybersecurity company Anomali analyzed six such documents and say that the delivered backdoor appears to be a variation of a payload commonly used by the FIN7 group since at least 2018.

     

    The names used in the campaign seem to indicate that the activity may have occurred between late June and late July, a period immediate to when news about Windows 11 started to emerge on a more regular basis.

     

    It is unclear how the malicious files were delivered but phishing email is typically how it happens. Opening the document shows Windows 11 imagery with text designed to trick the recipient into enabling macro content.

     

    Windows-11-Themed-Maldoc_Anomali.png

     

    The claim that the document was generated with a newer operating system may make some users believe that there is a compatibility issue that prevents accessing the content and that following the instructions eliminate the problem.

     

    If the user acts on the indication, they activate and execute the malicious VBA macro that the threat actor planted inside the document.

     

    The code is obfuscated to hinder analysis but there are ways to clean it of the surplus and leave only the relevant strings.

     

    VBA-Macro-without-Junk-Data_Anomali.png

    unobfuscated macro

    Anomali researchers found that the included VBScript relies on some values encoded inside a hidden table in the document to perform language checks on the infected computer.

     

    Detecting a specific language (Russian, Ukrainian, Moldovan, Sorbian, Slovak, Slovenian, Estonian, Serbian) puts a stop to the malicious activity and deletes the table with encoded values.

     

    The code also looks for the domain CLEARMIND, which Anomali researchers say appears to refer to a point-of-sale (PoS) provider.

     

    Other checks that the code makes include:

     

    • Reg Key language preference for Russian
    • Virtual machine - VMWare, VirtualBox, innotek, QEMU, Oracle, Hyper and Parallels (if a VM is detected the script is killed)
    • Available memory (stops if there is less than 4GB)
    • Check for RootDSE via LDAP

     

    “If the checks are satisfactory, the script proceeds to the function where a JavaScript file called word_data.js is dropped to the TEMP folder” - Anomali

    FIN7 indications

    The JavaScript is heavily obfuscated and cleaning it up reveals a backdoor that resembles other backdoors connected to the FIN7 cybercrime group, Anomali researchers say.

     

    There is moderate confidence for the attribution, which is based on the following factors:

     

    • Targeting of a POS provider aligns with previous FIN7 activity
    • The use of decoy doc files with VBA macros also aligns with previous FIN7 activity
    • FIN7 have used Javascript backdoors historically
    • Infection stops after detecting Russian, Ukrainian, or several other Eastern European languages
    • Password protected document
    • Tool mark from Javascript file "group=doc700&rt=0&secret=7Gjuyf39Tut383w&time=120000&uid=" follows similar pattern to previous FIN7 campaigns

     

    FIN7 has been around since at least 2013 but became known on a larger scale since 2015. Some of its members got arrested and sentenced but attacks and malware continued to be attributed to the group even beyond 2018 when several of its members got arrested [1, 2].

     

    The attackers focused on stealing payment card data belonging to customers of various businesses. Their activity in the U.S. caused above $1 billion in losses from stealing over 20 million card records processed by more than 6,500 point-of-sale terminals at around 3,600 separate business locations.

     

    Among the companies that FIN7 hit are Chipotle Mexican Grill, Chili’s, Arby’s, Red Robin, and Jason’s Deli.

     

     

    Watch out for new malware campaign’s 'Windows 11 Alpha' attachment


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...