FIN7 Windows 11 Alpha Campaign
I. Targeted Entities
- Technology Industry
- Windows Users
- General Public
III. Background Information
Infection appears to use a standard attack vector where users are shown a document containing a decoy image. This image displays information stating that the image was made with Windows 11 Alpha. The image asks the user to “Enable Editing and Content” to begin the next phase of the attack. The VBScript is obfuscated with junk comments. Researchers found that a hidden table contained encoded values that, when deciphered with a XOR cipher, revealed a key and table of languages. The code performs checks to look for several Eastern-European languages in the included table that, if detected, will cause the table to be deleted and stop operation.
IV. MITRE ATT&CK
- T1059.005 – Command and Scripting Interpreter: Visual Basic
FIN7 used VBS scripts to help perform tasks on the victim’s machine.
- T1204.002 – User Execution: Malicious File
FIN7 lures victims to “Enable Editing and Enable Content,” which would execute malicious files in the document.
- T1047 – Windows Management Instrument
FIN7 may abuse Windows Management Instrumentation (WMI) to achieve execution.
- T1140 – Deobfuscate/Decode Files or Information
FIN7 uses a hidden table inside the .doc file.
- T1027 – Obfuscated Files or Information
FIN7 has used fragmented strings, environment variables, standard input (stdin), and native character-replacement functionalities to obfuscate commands.
- T1497 – Virtualization/Sandbox Evasion
If a VM is detected, the script is killed.
- T1497.001 – Virtualization/Sandbox: System Checks
The script used by FIN7 checks for Virtual Machines and if detected, stops running.
- T1087.002 – Account Discovery: Domain Account
The script will check for specific domains.
- Phishing Awareness Training
Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should also be educated about new types of attacks and schemes to mitigate risk.
Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
- Set Antivirus Programs to Conduct Regular Scans
Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures
- Malware Monitoring
Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.
- Strong Cyber Hygiene
Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified.
Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
- Turn on Endpoint Protection
Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.
VI. Indicators of Compromise (IOCs)
The links below have been included to assist with the download of some identified IOCs related to this Threat Advisory report. Be on the lookout for these IOCs, as well as anything that looks similar.
(1) Seals, Tara. “Fin7 Capitalizes on Windows 11 Release in Latest Gambit.” Threatpost English Global threatpostcom. Accessed September 9, 2021. https://threatpost.com/fin7-windows-11-release/169206/.
(2) Ilascu, Ionut. “Watch out for New Malware Campaign’s ‘Windows 11 Alpha’ Attachment.” BleepingComputer. BleepingComputer, September 4, 2021. https://www.bleepingcomputer.com/news/security/watch-out-for-new-malware-campaign-s-windows-11-alpha-attachment/.
Threat Advisory created by the Cyber Florida Security Operations Center. Contributing Security Analysts: James Krepps, Orlando Huertas, Dorian Pope, Ipsa Bhatt, Sreten Dedic, EJ Bulut, Uday Bilakhiya, and Tural Hagverdiyev.