Security News > 2021 > September > FIN7 Hackers Using Windows 11 Themed Documents to Drop Javascript Backdoor
A recent wave of spear-phishing campaigns leveraged weaponized Windows 11 Alpha-themed Word documents with Visual Basic macros to drop malicious payloads, including a JavaScript implant, against a point-of-sale service provider located in the U.S. The attacks, which are believed to have taken place between late June to late July 2021, have been attributed with "Moderate confidence" to a financially motivated threat actor dubbed FIN7, according to researchers from cybersecurity firm Anomali.
"The group's goal appears to have been to deliver a variation of a JavaScript backdoor used by FIN7 since at least 2018.".
An Eastern European group active since at least mid-2015, FIN7 has a checkered history of targeting restaurant, gambling, and hospitality industries in the U.S. to plunder financial information such as credit and debit card numbers that were then used or sold for profit on underground marketplaces.
Although multiple members of the collective have been imprisoned for their roles in different campaigns since the start of the year, FIN7's activities have also been tied to another group called Carbanak, given its similar TTPs, with the main distinction being that while FIN7 focuses on hospitality and retail sectors, Carbanak has singled out banking institutions.
In the latest attack observed by Anomali, the infection commences with a Microsoft Word maldoc containing a decoy image that's purported to have been "Made on Windows 11 Alpha," urging the recipient to enable macros to trigger the next stage of activity, which involves executing a heavily-obfuscated VBA macro to retrieve a JavaScript payload, which has been found to share similar functionality with other backdoors used by FIN7.
The backdoor's attribution to FIN7 stems from overlaps in the victimology and techniques adopted by the threat actor, including the use of a JavaScript-based payload to plunder valuable information.