FIN7 Windows 11 Alpha Campaign

I. Targeted Entities

  • Technology Industry
  • Windows Users
  • General Public

II. Introduction

Using infected Microsoft Word documents, cybercrime group FIN7 has begun targeting the newly released Windows 11.[1] As reported by the researchers at Anomali, six new documents were seen circulating recently involving the use of JavaScript-based macros intended for the Windows 11 Alpha.[1] Researchers noted that the campaign appeared to primarily target a California-based company called Clearmind.[1] FIN7 is an Eastern European threat group that primarily targets U.S.-based companies.[3]

III. Background Information

Infection appears to use a standard attack vector where users are shown a document containing a decoy image. This image displays information stating that the image was made with Windows 11 Alpha.[1] The image asks the user to “Enable Editing and Content” to begin the next phase of the attack.[3] The VBScript is obfuscated with junk comments.[3] Researchers found that a hidden table contained encoded values that, when deciphered with a XOR cipher, revealed a key and table of languages.[3] The code performs checks to look for several Eastern-European languages in the included table that, if detected, will cause the table to be deleted and stop operation.[3]

It’s important to note that the script will also cease operations if a VM is detected or if the system doesn’t have more than 4GB of RAM available.[3] If enough checks pass then the system drops a file called word_data.js into the TEMP folder.[3] The JavaScript backdoor appears to share functionality with other backdoors used by the threat group in the past.[3] The script then reaches out to a domain to pass the host IP and DNS information.[3] The backdoor can allow attackers to deliver any payload they want to the target machine, and represents a foothold for future attacks.[2]

IV. MITRE ATT&CK

  • T1059.005 – Command and Scripting Interpreter: Visual Basic
    FIN7 used VBS scripts to help perform tasks on the victim’s machine.
  • T1059.007 – Command and Scripting Interpreter: JavaScript
    FIN7 used JavaScript scripts to help perform tasks on the victim’s machine.
  • T1204.002 – User Execution: Malicious File
    FIN7 lures victims to “Enable Editing and Enable Content,” which would execute malicious files in the document.
  • T1047 – Windows Management Instrument
    FIN7 may abuse Windows Management Instrumentation (WMI) to achieve execution.
  • T1140 – Deobfuscate/Decode Files or Information
    FIN7 uses a hidden table inside the .doc file.
  • T1027 – Obfuscated Files or Information
    FIN7 has used fragmented strings, environment variables, standard input (stdin), and native character-replacement functionalities to obfuscate commands.
  • T1497 – Virtualization/Sandbox Evasion
    If a VM is detected, the script is killed.
  • T1497.001 – Virtualization/Sandbox: System Checks
    The script used by FIN7 checks for Virtual Machines and if detected, stops running.
  • T1087.002 – Account Discovery: Domain Account
    The script will check for specific domains.

V. Recommendations

  • Phishing Awareness Training
    Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should also be educated about new types of attacks and schemes to mitigate risk.
    Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
  • Set Antivirus Programs to Conduct Regular Scans
    Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures
  • Malware Monitoring
    Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.
  • Strong Cyber Hygiene
    Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified.
    Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
  • Turn on Endpoint Protection
    Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.

VI. Indicators of Compromise (IOCs)

The links below have been included to assist with the download of some identified IOCs related to this Threat Advisory report. Be on the lookout for these IOCs, as well as anything that looks similar.

https://usf.box.com/s/te8lijr921avv32tnb8tmquzmdlskvt8

VII. References

(1) Seals, Tara. “Fin7 Capitalizes on Windows 11 Release in Latest Gambit.” Threatpost English Global threatpostcom. Accessed September 9, 2021. https://threatpost.com/fin7-windows-11-release/169206/.

(2) Ilascu, Ionut. “Watch out for New Malware Campaign’s ‘Windows 11 Alpha’ Attachment.” BleepingComputer. BleepingComputer, September 4, 2021. https://www.bleepingcomputer.com/news/security/watch-out-for-new-malware-campaign-s-windows-11-alpha-attachment/.

(3) Threat Research, Anomali. “FIN7 Using Windows 11 Alpha-Themed Docs to Drop JAVASCRIPT Backdoor.” Anomali. Accessed September 9, 2021. https://www.anomali.com/blog/cybercrime-group-fin7-using-windows-11-alpha-themed-docs-to-drop-javascript-backdoor.

Threat Advisory created by the Cyber Florida Security Operations Center. Contributing Security Analysts: James Krepps, Orlando Huertas, Dorian Pope, Ipsa Bhatt, Sreten Dedic, EJ Bulut, Uday Bilakhiya, and Tural Hagverdiyev.