Windows 11 Alpha-Themed Docs Are Used to Deliver a New Malware
The New Malware Uses a Windows 11 Theme to Lure Recipients Into Activating Malicious Code.
It’s possible that the malicious group behind the campaign to be the FIN7 group, a cybercrime group also known as Carbanak or Navigator that specializes in stealing payment card data.
The researchers from the cybersecurity company Anomali took a more in-depth look at six such documents and discovered that they were delivering a backdoor that is a variation of a payload commonly used by the FIN7.
At this moment it remains unclear how the malicious files were being delivered but the main assumption is that this happened through phishing emails, as by opening the document, Windows 11 imagery and text were shown in order to trick the recipient into enabling the macro content.
The malicious code is obfuscated in order to hinder analysis but the researchers found ways to clean it of the surplus and leave only the relevant strings.
According to BleepingComputer, the researchers from Anomali discovered that the included VBScript is relying on some values that are encoded inside a hidden table in the document in order to be able to perform language checks on the infected computer.
When detecting a specific language like Russian, Ukrainian, Moldovan, Sorbian, Slovak, Slovenian, Estonian, Serbian the malware puts a stop to the malicious activity and deletes the table with encoded values.
It’s interesting to note also that the code looks for the domain CLEAR MIND, which appears to refer to a point-of-sale (PoS) provider, whilst making other checks as well:
- Reg Key language preference for Russian
- Virtual machine – VMWare, VirtualBox, innotek, QEMU, Oracle, Hyper, and Parallels (if a VM is detected the script is killed)
- Available memory (stops if there are less than 4GB)
- Check for RootDSE via LDAP
There is moderate confidence in the attribution towards the FIN7 cybercrime group, but some of the factors that made the researchers believe that FIN7 is behind the attack were the fact that the attackers were:
- Targeting a POS provider
- Using a decoy doc file with VBA macros
- Stoping the infection process after detecting Russian, Ukrainian, or other Eastern European languages
- Using password-protected document
The FIN7 group was first noticed in 2013 but became known on a larger scale since 2015.
The malicious actors that are part of the cybercrime group are mostly focused on stealing payment card data belonging to customers of various businesses, with Chipotle Mexican Grill, Chili’s, Arby’s, Red Robin, and Jason’s Deli being just a few of the previous victims of the group.