In a recent wave of the spear-phishing campaign, the FIN7 cybercrime group employed Windows 11 Alpha-themed weaponized word documents to deliver a JavaScript payload with a JavaScript backdoor.
'Phishing Email Campaign' is the initial attack vector, posing as 'Windows 11 Alpha', it contains an infected Microsoft Word document (.doc). The virus is accompanied by this image which convinces a user to click on 'Enable Editing' and further advance towards the installation process. Once the user enables the content, the VBA macro that is contained in the image begins to come into effect.
VBA macro is populated with junk data such as comments, it is a common strategy employed by criminals to impede analysis. Once the junk data is being pulled out, all we would be left with is a 'VBA macro'. Upon further analyzing the JavaScript, researchers learned that it contained obfuscated strings along with a deobfuscation function.
Researchers have found that the threat actors behind the malicious campaign – upon detecting languages of certain countries including Russia, Slovenia, Serbia, Estonia, and Ukraine – call into action the 'me2XKr' function to delete all the tables and then stops running. They do so in order to prevent execution in the aforementioned countries.
Primarily targeting the U.S.-based telecommunications, education, retail, finance, and hospitality sectors via meticulously crafted attacks, FIN7 has managed to stay ahead of law enforcement by employing novel and advanced techniques to thwart detection from time and again. The threat group, also identified by some as "Carbanak Group", has increasingly diversified its monetization tactics which allowed the gang to widen the impact of their compromise. As a result, the group acquired a competitive advantage and has targeted a wide range of industries. Although FIN7 is characterized by its mass payment card data theft, the ambitions of the threat group are not limited to the theft of payment card data. In scenarios where end-to-end encryption (E2EE) prevented the attackers to obtain card data, they turned to attack the finance departments of the targeted organizations.
In an analysis dated 02 September 2021, Anomali Threat Research said, "The specified targeting of the Clearmind domain fits well with FIN7's preferred modus operandi." "The group's goal appears to have been to deliver a variation of a JavaScript backdoor used by FIN7 since at least 2018."
