Anomali believes that the backdoor resembles one commonly used by the Eastern European threat group known as FIN7 which is thought to have already cost businesses around a billion dollars (opens in new tab).
We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.
>> Click here to start the survey in a new window (opens in new tab) <<
- We've put together a list of the best endpoint protection (opens in new tab) software
- Check our list of the best firewall apps and services (opens in new tab)
- Here's our choice of the best malware removal (opens in new tab) software on the market
“While we cannot conclusively identify the attack vector for this activity, our analysis. strongly suggests the attack vector was an email phishing (opens in new tab) or spear-phishing campaign,” note (opens in new tab) the researchers.
According to the report, upon opening, the tainetd documents show Windows 11 imagery with text suggesting that the document was generated with the newer operating system, which can’t be viewed because of a compatibility issue.
This is in fact a trick to fool users into following the listed instructions to enable macro content, and help the nefarious documents to install the backdoor.
An analysis of the malicious code reveals it is obfuscated to hinder analysis, though the researchers were able to un-jumble it to reveal the trickery.
Interestingly, the script is designed to self-annihilate if it detects the victim’s computer is using Russian or a handful of other Eastern European languages, or has less than 4GB of available memory, or is a virtual machine (VM (opens in new tab)) instead of a physical computer.
Anomali believes that the attack is designed specifically to target the US-based Clearmind point-of-sale (POS) (opens in new tab) provider. This further connects the attack to the FIN7 group, which has attacked Clearmind in the past as well.
“As a California-based provider of POS technology for the retail and hospitality sector, a successful infection would allow the group to obtain payment card data and later sell the information on online marketplaces,” share the researchers.
- Protect your devices with these best antivirus software (opens in new tab)