Relying on a simple recipe that has proved successful time and time again, threat actors have deployed a malware campaign recently that used a Windows 11 theme to lure recipients into activating malicious code placed inside Microsoft Word documents.
Security researchers believe that the adversary behind the campaign may be the FIN7 cybercrime group, also known as Carbanak and Navigator, that specializes in stealing payment card data.
Tried and tested method
The adversary took advantage of the buzz created around the details for Microsoft’s development of its next operating system release, which started in early June.
Researchers at cybersecurity company Anomali analyzed six such documents and say that the delivered backdoor appears to be a variation of a payload commonly used by the FIN7 group since at least 2018.
The names used in the campaign seem to indicate that the activity may have occurred between late June and late July, a period immediate to when news about Windows 11 started to emerge on a more regular basis.
It is unclear how the malicious files were delivered but phishing email is typically how it happens. Opening the document shows Windows 11 imagery with text designed to trick the recipient into enabling macro content.
The claim that the document was generated with a newer operating system may make some users believe that there is a compatibility issue that prevents accessing the content and that following the instructions eliminate the problem.
If the user acts on the indication, they activate and execute the malicious VBA macro that the threat actor planted inside the document.
The code is obfuscated to hinder analysis but there are ways to clean it of the surplus and leave only the relevant strings.
Anomali researchers found that the included VBScript relies on some values encoded inside a hidden table in the document to perform language checks on the infected computer.
Detecting a specific language (Russian, Ukrainian, Moldovan, Sorbian, Slovak, Slovenian, Estonian, Serbian) puts a stop to the malicious activity and deletes the table with encoded values.
The code also looks for the domain CLEARMIND, which Anomali researchers say appears to refer to a point-of-sale (PoS) provider.
Other checks that the code makes include:
- Reg Key language preference for Russian
- Virtual machine – VMWare, VirtualBox, innotek, QEMU, Oracle, Hyper and Parallels (if a VM is detected the script is killed)
- Available memory (stops if there is less than 4GB)
- Check for RootDSE via LDAP
There is moderate confidence for the attribution, which is based on the following factors:
- Targeting of a POS provider aligns with previous FIN7 activity
- The use of decoy doc files with VBA macros also aligns with previous FIN7 activity
- Infection stops after detecting Russian, Ukrainian, or several other Eastern European languages
- Password protected document
FIN7 has been around since at least 2013 but became known on a larger scale since 2015. Some of its members got arrested and sentenced but attacks and malware continued to be attributed to the group even beyond 2018 when several of its members got arrested [1, 2].
The attackers focused on stealing payment card data belonging to customers of various businesses. Their activity in the U.S. caused above $1 billion in losses from stealing over 20 million card records processed by more than 6,500 point-of-sale terminals at around 3,600 separate business locations.
Among the companies that FIN7 hit are Chipotle Mexican Grill, Chili’s, Arby’s, Red Robin, and Jason’s Deli.