Security News > 2021 > September > FIN7 Hackers Using Windows 11 Themed Documents to Drop Javascript Backdoor
A recent wave of spear-phishing campaigns leveraged weaponized Windows 11 Alpha-themed Word documents with Visual Basic macros to drop malicious payloads, including a JavaScript implant, against a point-of-sale service provider located in the U.S. The attacks, which are believed to have taken place between late June to late July 2021, have been attributed with "Moderate confidence" to a financially motivated threat actor dubbed FIN7, according to researchers from cybersecurity firm Anomali.
"The group's goal appears to have been to deliver a variation of a JavaScript backdoor used by FIN7 since at least 2018.".
An Eastern European group active since at least mid-2015, FIN7 has a checkered history of targeting restaurant, gambling, and hospitality industries in the U.S. to plunder financial information such as credit and debit card numbers that were then used or sold for profit on underground marketplaces.
Although multiple members of the collective have been imprisoned for their roles in different campaigns since the start of the year, FIN7's activities have also been tied to another group called Carbanak, given its similar TTPs, with the main distinction being that while FIN7 focuses on hospitality and retail sectors, Carbanak has singled out banking institutions.
In the latest attack observed by Anomali, the infection commences with a Microsoft Word maldoc containing a decoy image that's purported to have been "Made on Windows 11 Alpha," urging the recipient to enable macros to trigger the next stage of activity, which involves executing a heavily-obfuscated VBA macro to retrieve a JavaScript payload, which has been found to share similar functionality with other backdoors used by FIN7.
The backdoor's attribution to FIN7 stems from overlaps in the victimology and techniques adopted by the threat actor, including the use of a JavaScript-based payload to plunder valuable information.
News URL
Related news
- Hackers steal Windows NTLM authentication hashes in phishing attacks (source)
- Hackers abuse Windows SmartScreen flaw to drop DarkGate malware (source)
- Hackers exploit Windows SmartScreen flaw to drop DarkGate malware (source)
- Hackers Deploy Python Backdoor in Palo Alto Zero-Day Attack (source)
- FIN7 Cybercrime Group Targeting U.S. Auto Industry with Carbanak Backdoor (source)
- Hackers Target Middle East Governments with Evasive "CR4T" Backdoor (source)
- Researchers Uncover Windows Flaws Granting Hackers Rootkit-Like Powers (source)
- Microsoft: APT28 hackers exploit Windows flaw reported by NSA (source)
- Microsoft: APT28 hackers exploit Windows flaw reported by NSA (source)
- Russian hackers’ custom tool exploits old Windows Print Spooler flaw (CVE-2022-38028) (source)