The attacks took space between late June and late July 2021, experts noticed that the infection process stops when detecting Russian, Ukrainian, or several other Eastern European languages.
FIN7 is a Russian criminal group that has been active since mid-2015, it focuses on restaurant, gambling, and hospitality industries in the US to harvest financial information that was used in attacks or sold in cybercrime marketplaces.
The attack chain began with a Microsoft Word document (.doc) containing a decoy image claiming to have been made with Windows 11 Alpha. The image asks the recipient to Enable Editing and Enable Content to access its content.
In order to avoid the analysis the threat actors also inserted junk data in VBA Macro, this is a common tactic used by threat actors.
“FIN7 is one of the most notorious financially motivated groups due to the large amounts of sensitive data they have stolen through numerous techniques and attack surfaces. Things have been turbulent for the threat group over the past few years as with success and notoriety comes the ever-watchful eye of the authorities. Despite high-profile arrests and sentencing, including alleged higher-ranking members, the group continues to be as active as ever.” concludes the experts.
(SecurityAffairs – hacking, FIN7)