FIN7 group leverages Windows 11 Alpha-Themed docs to drop Javascript payloads

Pierluigi Paganini September 04, 2021

FIN7 cybercrime gang used weaponized Windows 11 Alpha-themed Word documents to drop malicious payloads, including a JavaScript backdoor.

Anomali Threat Research experts have monitored recent spear-phishing attacks conducted by financially motivated threat actor FIN7. The messages used weaponized Windows 11 Alpha-themed Word documents with Visual Basic macros to drop malicious payloads, including a JavaScript backdoor, in an attack aimed at a US point-of-sale (PoS) service provider.

The attacks took space between late June and late July 2021, experts noticed that the infection process stops when detecting Russian, Ukrainian, or several other Eastern European languages.

“The specified targeting of the Clearmind domain fits well with FIN7’s preferred modus operandi. As a California-based provider of POS technology for the retail and hospitality sector, a successful infection would allow the group to obtain payment card data and later sell the information on online marketplaces.” reads the analysis published by Anomali. “The use of a JavaScript backdoor is also primarily associated with FIN7 and is a common feature within its campaigns.

The threat actors employed a variation of a JavaScript backdoor used by the FIN7 group since at least 2018.

FIN7 is a Russian criminal group that has been active since mid-2015, it focuses on restaurant, gambling, and hospitality industries in the US to harvest financial information that was used in attacks or sold in cybercrime marketplaces.

The attack chain began with a Microsoft Word document (.doc) containing a decoy image claiming to have been made with Windows 11 Alpha. The image asks the recipient to Enable Editing and Enable Content to access its content.


Upon enabling the macros, a heavily-obfuscated VBA macro will be executed to retrieve a JavaScript payload. The malicious script also checks for Virtual Machines to prevent the analysis in virtualized environment.

In order to avoid the analysis the threat actors also inserted junk data in VBA Macro, this is a common tactic used by threat actors.

The researchers attribute the attack to FIN7 due to similarities in the TTPs, the victimology associated with the cybercrime gang, and the use of a JavaScript-based payload to harvest sensitive data from the victims.

“FIN7 is one of the most notorious financially motivated groups due to the large amounts of sensitive data they have stolen through numerous techniques and attack surfaces. Things have been turbulent for the threat group over the past few years as with success and notoriety comes the ever-watchful eye of the authorities. Despite high-profile arrests and sentencing, including alleged higher-ranking members, the group continues to be as active as ever.” concludes the experts.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, FIN7)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment