FIN7 Capitalizes on Windows 11 Release in Latest Gambit

[silversurfer]

The FIN7 financial cybercrime gang is back, delivering JavaScript backdoors using Word documents themed around the next version of Windows.
 
That’s according to researchers at Anomali, who observed a recent campaign from the group that leveraged six different docs, all referencing “Windows 11 Alpha” – the “Insider Preview” version of the upcoming Windows 11 operating system from Microsoft.
 
Windows 11 Alpha was released to the computing giant’s developer channels in late June, and it generated buzz among the technorati for offering a glimpse of the planned upgrades that Windows users can look forward to when Windows 11 rolls out this fall.
 
The FIN7 crooks looked to capitalize on this, delivering the themed docs to targets at a California-based point-of-sale provider called Clearmind (likely via email), among others – all boobytrapped with malicious Visual Basic (VBA) macros.

The infection chain begins with a Microsoft Word document featuring a decoy image, telling readers that it was made with Windows 11 Alpha. The image asks the user to “Enable Editing and Enable Content” to see more. Once the content/editing has been enabled, a VBA macro executes that takes encoded values from a hidden table inside the .doc file and deciphers them with an XOR key. This creates a script that carries out various checks on the target. 

Read more: FIN7 Capitalizes on Windows 11 Release in Latest Gambit | Threatpost