Heimdal
article featured image

Contents:

It’s possible that the malicious group behind the campaign to be the FIN7 group, a cybercrime group also known as Carbanak or Navigator that specializes in stealing payment card data.

What Happened?

The cybercriminals inserted macro code into Microsoft Documents. This malicious code downloads a JavaScript backdoor allowing the attacker to deliver any payload they want.

The researchers from the cybersecurity company Anomali took a more in-depth look at six such documents and discovered that they were delivering a backdoor that is a variation of a payload commonly used by the FIN7.

At this moment it remains unclear how the malicious files were being delivered but the main assumption is that this happened through phishing emails, as by opening the document, Windows 11 imagery and text were shown in order to trick the recipient into enabling the macro content.

The malicious code is obfuscated in order to hinder analysis but the researchers found ways to clean it of the surplus and leave only the relevant strings.

According to BleepingComputer, the researchers from Anomali discovered that the included VBScript is relying on some values that are encoded inside a hidden table in the document in order to be able to perform language checks on the infected computer.

When detecting a specific language like Russian, Ukrainian, Moldovan, Sorbian, Slovak, Slovenian, Estonian, Serbian the malware puts a stop to the malicious activity and deletes the table with encoded values.

It’s interesting to note also that the code looks for the domain CLEAR MIND, which appears to refer to a point-of-sale (PoS) provider, whilst making other checks as well:

  • Reg Key language preference for Russian
  • Virtual machine – VMWare, VirtualBox, innotek, QEMU, Oracle, Hyper, and Parallels (if a VM is detected the script is killed)
  • Available memory (stops if there are less than 4GB)
  • Check for RootDSE via LDAP

If the checks are satisfactory, the script proceeds to the function where a JavaScript file called word_data.js is dropped to the TEMP folder.

Source

There is moderate confidence in the attribution towards the FIN7 cybercrime group, but some of the factors that made the researchers believe that FIN7 is behind the attack were the fact that the attackers were:

  • Targeting a POS provider
  • Using a decoy doc file with VBA macros
  • Using Javascript backdoors historically
  • Stoping the infection process after detecting Russian, Ukrainian, or other Eastern European languages
  • Using password-protected document

The FIN7 group was first noticed in 2013 but became known on a larger scale since 2015.

The malicious actors that are part of the cybercrime group are mostly focused on stealing payment card data belonging to customers of various businesses, with Chipotle Mexican Grill, Chili’s, Arby’s, Red Robin, and Jason’s Deli being just a few of the previous victims of the group.

Author Profile

Dora Tudor

Cyber Security Enthusiast

linkedin icon

Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE