Windows 11 is already making the headlines in terms of hackers’ exploitation. Apparently, FIN7, a well-known hacking group, has been using Windows 11 themes in an attempt to trick recipients in a recent phishing campaign targeting a PoS (point-of-sale) company.
Related: Hackers Use Open Redirect Links to Bypass Detection in Phishing Operation
Windows 11 Used as a Lure in FIN7 Phishing Attacks
“Anomali Threat Research conducted analysis on malicious Microsoft Word document (.doc) files themed after Windows 11 Alpha and assess with moderate confidence that these Word documents were part of a campaign conducted by the threat group FIN7,” according to a recently released threat report.
In the said attack, threat actors were exploiting the hype surrounding Microsoft’s next edition of Windows. Victims were targeted using a Windows 11 theme that contained malicious Word documents.
According to Anomali’s report, the infection chain was initiated by a Microsoft Word document (.doc) that contained a décor image claiming to have been made with the help of Windows 11 Alpha. The image would ask the potential victim to enable editing and enable content to continue with the next stage of activity. After analyzing the file, the researchers discovered a VBA macro populated with junk data as comments. In fact, junk data is commonly used to impede analysis. Once this data was removed, a VBA macro was revealed.
The attack chain’s purpose is to drop a JavaScript backdoor on the compromised system. Here’s what the researchers compiled as the most crucial elements of the attack:
- Targeting of a POS provider aligns with previous FIN7 activity;
- The use of decoy doc files with VBA macros also aligns with previous FIN7 activity;
- FIN7 have used Javascript backdoors historically;
- Infection stops after detecting Russian, Ukrainian, or several other Eastern European languages;
- Password protected document;
- Tool mark from Javascript file “group=doc700&rt=0&secret=7Gjuyf39Tut383w&time=120000&uid=” follows similar pattern to previous FIN7 campaigns.
More about the FIN7 Cybercrime Group
FIN7, also known as Carbon Spider, Anunak, and Carbanak is an Eastern European threat group that has been around at least since 2015. The group’s primary interest is US-based companies across various industries. However, the group has been operating on a global scale, Anomali noted.
Shortly said, FIN7 is considered one of the most dangerous cybercriminal organizations in the world, credited with the theft of more than 15 million payment card records that cost organizations one billion USD dollars in losses.
“In the US alone, the group has targeted over 100 companies and compromised the networks of organizations in 47 states and the District of Columbia. While FIN7’s primary objective is to directly steal financial information, such as credit and debit card data, they will also steal sensitive information to sell on underground marketplaces,” the report revealed.
Law enforcement around the world has been trying to capture the group, including the arrest of three members in August 2018. However, despite these efforts and media attention, the group continues to operate.
Companies previously affected by the criminal organization include brands such as Forbes Energy Services and Gyrodata. Security researchers believe that the recent attack by DarkSide ransomware against Colonial Pipeline was orchestrated by FIN7, as well as the ransomware itseld. It is noteworthy that the organization’s high-level manager and system administrator was recently sentenced to 10 years in prison in the United States.