Home » Electronic News » FIN7 exploits Windows 11 launch for attack

FIN7 exploits Windows 11 launch for attack

Posted by: Yoyokuo 2022-08-21 Comments Off on FIN7 exploits Windows 11 launch for attack

The financial cybercriminal gang FIN7 is back, using a new version of Windows-themed Word documents with malicious javascript attached to them.

Security officials observed the gang used six different files in a recent campaign, all referring to Windows 11 Alpha, an insider preview version of Microsoft’s upcoming Windows 11 operating system.

In late June, Windows 11 Alpha was released to the computer giant’s developer channel, and it caused quite a stir among techies as it offered a Windows 11 preview. At the same time, the official version of Windows 11 will not be officially launched until this fall.

FIN7’s attackers hoped to take advantage of this by emailing the subject files to California-based point-of-sale vendor Clearmind and other targets, all with malicious Visual Basic (VBA) macros.

The chain of infection starts with a Microsoft Word document with an alluring image telling readers that it was made with Windows 11 Alpha, and the content in the image requires users to enable editing to see more content.

Once editing is enabled, a VBA macro executes from . Get the encoded value in a hidden table inside the doc file and decrypt it with an XOR key. At the same time, a script will be created to check various information on the target.

It first checks the language of the target system, and if it finds Russian, Ukrainian, or any other Eastern European language, the script will terminate.

The script also checks for the presence of a virtual machine to make sure it is not being analyzed in a sandbox environment, and terminates the execution of the file if found. It then looks to see if the target is on the domain clearmind.com of a point-of-sale (PoS) service provider. If it is, it will continue to check.

The attack target of the Clearmind domain name is very consistent with the operation mode of FIN7. As a California-based provider of PoS technology for the retail and hospitality industries, if the infection is successful, the group will gain access to vast amounts of payment card data, which it then sells on underground markets.

The researchers pointed out that if this check results in an attack condition, the script will drop a JavaScript file named “word_data.js” into the TEMP folder, which once parsed and run, it becomes a JavaScript backdoor for FIN7 The organization has been adopting the technology since 2018. From there, FIN7 can further infiltrate the victim’s machine, steal data and conduct network reconnaissance, followed by lateral movement.

FIN7 (aka Carbanak Group or Navigator Group) is a well-known threat group that has been operating since at least 2015. The gang typically attacks victims with malware-laden phishing files that then infiltrate systems to steal card data and sell it. The gang has been tweaking new malware arsenals, and it’s also targeting PoS systems in casual restaurants, casinos and hotels. The gang has also increased ransomware and data breach attacks since 2020, leveraging the ZoomInfo service to select targets based on revenue.

The group has now caught the attention of the U.S. Department of Justice, which believes that FIN7 stole more than 15 million payment card records and caused more than $1 billion in damages. In the U.S. alone, the group disrupted networks of organizations in 47 states and the District of Columbia, according to the Justice Department, which in June sentenced an attacker to seven years in prison and a $2.5 million fine for payment card theft, among other charges. Arrests and convictions of people are also plaguing the government.

However, strict laws have not stopped the group from attacking. A month later, it’s back, successfully attacking multiple law firms using legal complaints from liquor companies involving Jack Daniels whisky as bait.

FIN7 is one of the most notorious cyber-financial criminal groups as they steal vast amounts of sensitive data through numerous techniques and attack surfaces. Despite the government’s full-scale arrests and sentences, including alleged higher-level members, the group remains as active as ever. U.S. prosecutors put the group at about 70 people, meaning the group is likely to make up for lost personnel, as other outsiders may join.

The Links:   G150XTN068 LC171W03-A4K4 6MBI25J-120