Threat Update
Security researchers have discovered recent attempts by threat actors to infect machines with malicious Word documents containing VBA macros and JavaScript to plant a backdoor and create persistence. These Word documents are disguised as documentation or information related to the new Windows 11 Alpha release to entice users into interacting. Recommendations to remediate the threat is to block the IOCs listed in this advisory.
Technical Detail & Additional Information
WHAT IS THE THREAT?
Security researchers have moderate confidence in attributing this threat campaign to the threat group FIN7. FIN7 is a prominent threat group which seems to be financially motivated and typically targets US based companies. FIN7 has been known to utilize a variation of JavaScript backdoors since at least 2018, specifically targeting Point-of-Sale (POS) systems.
The specific Word documents containing malicious VBA Macros and JavaScript backdoors are utilizing the anticipation around the new Windows 11 Alpha release to entice end users to interact with the malicious document which will be running the VBA Macro and JavaScript backdoor on the machine.
WHY IS IT NOTEWORTHY?
According to the US Department of Justice, FIN7 is responsible for stealing over 15 million card records from 6,500 POS terminals since 2018. Additionally, the group has reported ties to other groups such as Carbanak and the notorious REvil Ransomware gang. This campaign of malicious Word documents creates a backdoor for the threat actors on the compromised machine which then provides the threat actor with full access to the device and the potential to move laterally within the network. Future collaboration with other threat groups such as REvil would allow for the seamless distribution of ransomware or other forms of malware through the backdoor created by this threat.
WHAT IS THE EXPOSURE OR RISK?
This threat can affect any device which supports the use of JavaScript and utilizes the Microsoft Office Suite. Additionally, FIN7 is known to target POS Systems across multiple industries specifically targeting PII and credit card information. The backdoor created by this threat can potentially lead to a myriad of future compromises.
WHAT ARE THE RECOMMENDATIONS?
SKOUT recommends the following:
Block the below IOCs on any firewalls:
- 85.14.253.178
- tnskvggujjqfcskwk[.]com
- https://bypassociation[.]com
- Continuously train employees on security awareness and recognizing phishing attacks, as most malicious documents of this nature come via phishing campaigns.
- Ensure antivirus definitions are up to date.
For SKOUT Endpoint Protection customers, SKOUT Endpoint Protection holds the ability to block the execution of Visual Basic macro scripts and JavaScript files.
REFERENCES
For more in-depth information about the recommendations, please visit the following links:
- https://www.anomali.com/blog/cybercrime-group-fin7-using-windows-11-alpha-themed-docs-to-drop-javascript-backdoor
- https://www.vkremez.com/2018/11/in-depth-review-of-fin7-vba-macro.html
- https://www.trendmicro.com/en_gb/research/21/d/carbanak-and-fin7-attack-techniques.html
- https://securityintelligence.com/posts/ransomware-2020-attack-trends-new-techniques-affecting-organizations-worldwide/
If you have any questions, please contact our Security Operations Center.