According to Anomali Threat Research, six malicious Windows 11 Alpha-themed Word documents with Visual Basic macros are being used to drop JavaScript payloads, including a JavaScript backdoor. While the attack vector for this activity remains unknown, it strongly suggests an email phishing or spearphishing campaign.
The activity likely took place around late-June to late-July 2021, based on the file names in this campaign observed by the researchers.
How FIN7 ATP Group is Using Windows 11 Themed Documents to drop Javascript Backdoor?
Anomali Threat Research analysis conducted on malicious Microsoft Word documents themed after Windows 11 Alpha, disclosed with moderate confidence that the Word documents were part of a malware campaign conducted by the threat group FIN7.
The attack chain began with a Microsoft Word document (.doc) containing a decoy image claiming to have been made with Windows 11 Alpha. And on analyzing the file, it was discovered to be a VBA macro populated with junk data as comments. Given that junk data is a common tactic used by threat actors to impede analysis, but once this junk data is removed, we are left with a VBA macro.
The VBScript will take encoded values from a hidden table inside the .doc file, an after deobfuscating the VBA macro, language checks carried out. If these languages are detected, the function me2XKr is called which deletes the table and stops running, also the script checks for Virtual Machines, which if detected it stops running as well.
Interestingly, the attack stops after detecting Russian, Ukrainian, or several other Eastern European languages, albeit there is no solid attribution, but the language check function and table it scores against indicate a likely geographic location for the creator of this malicious doc file.
The reason is not far-fetched, as it is an almost unofficial policy that cybercriminals based in the Commonwealth of Independent States (CIS) are generally left alone if they do not target interests or individuals within the respective borders, thus the VBA macro checking the target system language against a list including common CIS languages will terminate the infection when found to match.
However, the addition of Serbian, a minority German Slavic language, Estonian, Slovenian and Slovak remains unusual as these are not languages considered for exclusion but maybe would be considered as a ‘fair game.’
No comments