A recent spear-phishing attacks conducted by financially motivated threat actor FIN7 using weaponized Windows 11 Alpha-themed Word documents with Visual Basic macros to drop malicious payloads, including a JavaScript backdoor.

The specified targeting of the Clearmind domain fits well with FIN7’s preferred modus operandi. A successful infection would allow the group to obtain payment card data and later sell the information on online marketplaces. The use of a JavaScript backdoor is also primarily associated with FIN7 and is a common feature within its campaigns.

The attack chain began with a Microsoft Word document (.doc) containing a decoy image claiming to have been made with Windows 11 Alpha. The image asks the recipient to Enable Editing and Enable Content to access its content.Upon enabling the macros, a heavily-obfuscated VBA macro will be executed to retrieve a JavaScript payload. The malicious script also checks for Virtual Machines to prevent the analysis in virtualized environment.

Upon enabling the macros, a heavily obfuscated VBA macro will be executed to retrieve a JavaScript payload. The malicious script also checks for Virtual Machines to prevent the analysis in virtualized environment. To avoid the analysis the threat actors also inserted junk data in VBA Macro, this is a common tactic used by threat actors.