Home News After FIN8, Researchers Warn About FIN7 Hackers Exploiting Windows Docs

After FIN8, Researchers Warn About FIN7 Hackers Exploiting Windows Docs

Security experts from Anomali recently uncovered a malicious phishing campaign from FIN7 hackers using weaponized Windows 11 Alpha-themed Word docs with Visual Basic macros to deploy malware.

Altering certified PDF Documents, FIN7 Hackers

Attack vectors range from malicious attachments to weaponized PDFs.  These vectors have been continually evolving over the years. Recently, security experts from Anomali uncovered a malicious phishing campaign that used weaponized Windows 11 Alpha-themed Word docs with Visual Basic macros to deploy malware backdoors like JavaScript payloads. Anomali attributed the malicious attacks, suspected of occurring between June to July 2021, to the infamous threat actor group FIN7.

“While we cannot conclusively identify the attack vector for this activity, our analysis. We suggest the attack vector was an email phishing or spear-phishing campaign. We assess with moderate confidence that the financially motivated threat group FIN7 is responsible for this campaign,” Anomali said.

FIN7 Hacking Group

Active since 2015, the FIN7 is an Eastern European cybercriminal group that primarily targeted organizations across the U.S. Anomali stated that the FIN7 group is responsible for the theft of over 15 million payment card records worth one billion dollars. It’s estimated that the gang targeted around 100 organizations and compromised their networks.

“FIN7 is one of the most notorious financially motivated groups due to the large amounts of sensitive data they have stolen through numerous techniques and attack surfaces. Things have been turbulent for the threat group over the past few years, as with success and notoriety comes the ever-watchful eye of the authorities. Despite high-profile arrests and sentencing, including alleged higher-ranking members, the group continues to be as active as ever,” Anomali added.

Infection Chain

Attackers initiated the infection process by sending a Microsoft Word document containing a decoy image claiming to have been made with Windows 11 Alpha. The image then asks the user to Enable Editing and Enable Content to begin the next stage of the malicious activity.

The primary aim of the FIN7 group is to pilfer sensitive financial information like credit/debit card details and trade them on underground darknet marketplaces. FIN7 targeted a California-based point-of-sales (POS) technology provider to obtain payment card data and later sell the information for monitory benefits. The FIN7 actors are responsible for stealing over 15 million card records from 6,500 POS terminals.

In a similar threat analysis, cybersecurity experts from Bitdefender uncovered a new financially motivated malware campaign by the infamous threat actor group FIN8, circulating a new version of its BADHATCH malware, tracked as Sardonic. Read More Here

Previous articleU.S. Cyber Command Warns Active Exploitation of Atlassian Confluence Vulnerability
Next articleThe Cloud is New Territory for Computer Forensics