The FIN7 financial cybercrime gang is back, delivering JavaScript backdoors using Word documents themed around the next version of Windows, Windows 11.
The financially motivated group looked to steal payment-card data from a California-based point-of-sale service provider.
That’s according to researchers at Anomali, who observed a recent campaign from the group that leveraged 6 different docs, all referencing “Windows 11 Alpha” – the “Insider Preview” version of the upcoming Windows 11 operating system from Microsoft.
Windows 11 Alpha
Windows 11 Alpha was released to the computing giant’s developer channels in late June, & it generated buzz among the technorati for offering a glimpse of the planned upgrades that Windows users can look forward to when Windows 11 rolls out this fall.
The FIN7 crooks looked to capitalise on this, delivering the themed docs to targets at a California-based point-of-sale provider called Clearmind (likely via email), among others – all boobytrapped with malicious Visual Basic (VBA) macros.
FIN7’s Latest Attack Layout
The infection chain begins with a Microsoft Word document featuring a decoy image, telling readers that it was made with Windows 11 Alpha. The image asks the user to “Enable Editing & Enable Content” to see more.
Once the content/editing has been enabled, a VBA macro executes that takes encoded values from a hidden table inside the .doc file & deciphers them with an XOR key. This creates a script that carries out various checks on the target.
It 1st checks for the target system’s language. If Russian, Ukrainian or any number of other Eastern European languages are found to be the default, the script will terminate.
Unofficial Policy
Anomali researchers stated that while it’s “accepted as an almost unofficial policy that cyber-criminals based in the Commonwealth of Independent States (CIS) are generally left alone,” this particular check goes beyond those borders to include Sorbian, a minority German Slavic language; plus Estonian, Slovak & Slovenian.
Those are also additions used by the REvil ransomware gang, which has been known to work with FIN7 in the past, researchers noted.
The script also checks for virtual machines, to make sure it’s not being analysed in a sandbox environment & will terminate if 1 is found. Then, interestingly, it looks to see if the target is on the domain clearmind.com – the domain of the point-of-sale (PoS) service provider. If it is, it serves as a “proceed” check.
Payment-Card Data
“The specified targeting of the Clearmind domain fits well with FIN7’s preferred modus operandi,” according to Anomali’s Thurs. writeup on the campaign. “
As a California-based provider of PoS technology for the retail & hospitality sector, a successful infection would allow the group to obtain payment-card data & later sell the information on online marketplaces.”
If the checks are satisfactory, the script drops a JavaScript file called “word_data.js” into the TEMP folder which, once decoded, turns out to be a JavaScript backdoor that FIN7 has been employing since 2018, researchers noted. From there, FIN7 can further penetrate a victim’s machine to steal data & perform recon for lateral movement.
FIN7: No Signs of Slowing Down
FIN7 (aka Carbanak Group or Navigator Group) is a well-known threat player that’s been circulating since at least 2015. The group typically uses malware-laced phishing attacks against victims in hopes of infiltrating systems to steal bank-card data & sell it.
The gang consistently retools its malware. It has also become well-known for targeting PoS systems at casual-dining restaurants, casinos & hotels. Since 2020, it has also added ransomware/data exfiltration attacks to the mix, carefully selecting targets according to revenue using the ZoomInfo service.
US Justice Department
The group has caught the eye of the US Justice Department, which credits FIN7 with the theft of more than 15m payment-card records and $1b in global losses.
In the US alone, the group has compromised the networks of organizations in 47 US states & the District of Columbia, according to the DoJ, which in June sentenced a so-called “pen-tester” to 7 years in prison and a $2.5m fine after being convicted for payment-card theft. Other arrests & convictions have also plagued the group.
However, the legal action has done nothing to slow the group down – 1 month later it was back, successfully compromising at least 1 law firm, using as a lure a legal complaint involving the liquor company that owns Jack Daniels Whiskey.
Financially Motivated
“FIN7 is 1 of the most notorious financially motivated groups due to the large amounts of sensitive data they have stolen through numerous techniques & attack surfaces,” according to Anomali.
“Despite high-profile arrests & sentencing, including alleged higher-ranking members, the group continues to be as active as ever. US prosecutors believe the group numbers around 70 individuals, meaning the group can likely accommodate these losses as other individuals will step in.”
https://www.cybernewsgroup.co.uk/virtual-conference-september-2021/