October 3, 2023

A recent spear-phishing attacks conducted by financially motivated threat actor FIN7 using weaponized Windows 11 Alpha-themed Word documents with Visual Basic macros to drop malicious payloads, including a JavaScript backdoor.

The specified targeting of the Clearmind domain fits well with FIN7’s preferred modus operandi. A successful infection would allow the group to obtain payment card data and later sell the information on online marketplaces. The use of a JavaScript backdoor is also primarily associated with FIN7 and is a common feature within its campaigns.

The attack chain began with a Microsoft Word document (.doc) containing a decoy image claiming to have been made with Windows 11 Alpha. The image asks the recipient to Enable Editing and Enable Content to access its content.Upon enabling the macros, a heavily-obfuscated VBA macro will be executed to retrieve a JavaScript payload. The malicious script also checks for Virtual Machines to prevent the analysis in virtualized environment.

Upon enabling the macros, a heavily obfuscated VBA macro will be executed to retrieve a JavaScript payload. The malicious script also checks for Virtual Machines to prevent the analysis in virtualized environment. To avoid the analysis the threat actors also inserted junk data in VBA Macro, this is a common tactic used by threat actors.

Tags:

Leave a Reply

You may have missed

Industrial Control Systems and Vulnerability Management Process

October 2, 2023

McLaren Healthcare suffers a Ransomware Incident

October 2, 2023

TheCyberThrone CyberSecurity Newsletter Top 5 Articles – September, 2023

October 2, 2023

TheCyberThrone Security Week In Review – September 30, 2023

October 1, 2023

Mozilla fixes CVE-2023-5217 Vulnerability in its Products

September 30, 2023

CISA KEV Update Part III – September 2023

September 30, 2023
%d bloggers like this: