Researchers at Anomali warn that the financially motivated threat group FIN7 is using Windows 11-themed phishing documents to deliver malware. The documents claim to have been created on Windows 11 Alpha, and they ask users to enable macros in order to view the content.
“FIN7 is an Eastern European threat group that has been active since at least mid-2015,” the researchers write. “They primarily target United States (US)-based companies across various industries but also operate on a global scale. The group is one of the world’s most notorious cybercrime groups and has been credited with the theft of over 15 million payment card records that cost organizations around the world approximately one billion dollars (USD) in losses. In the US alone, the group has targeted over 100 companies and compromised the networks of organizations in 47 states and the District of Columbia. While FIN7’s primary objective is to directly steal financial information, such as credit and debit card data, they will also steal sensitive information to sell on underground marketplaces.”
The researchers add that the FIN7 criminals operate from former Soviet republics, what Russia refers to as “the near abroad,” and that they sometimes work with the REvil ransomware gang.
“While not providing solid attribution, the language check function and table it scores against indicate a likely geographic location for the creator of this malicious doc file,” Anomali says. “It is accepted as an almost unofficial policy that cybercriminals based in the Commonwealth of Independent States (CIS) are generally left alone, provided they do not target interests or individuals within their respective borders, ergo the VBA macro checking the target system language against a list including common CIS languages which will terminate the infection if found to match. The addition of Sorbian, a minority German Slavic language, Estonian, Slovenian and Slovak are unusual additions as these would not be languages considered for exclusion but would be considered ‘fair game.’ It is worth noting that REvil ransomware also includes these languages in their exclusion tables, a group that is believed to work with FIN7.”
New-school security awareness training can enable your employees to thwart social engineering attacks.
Anomali has the full story.