Skip to main content

Beware - that Windows 11 document is probably a scam

scammers
(Image credit: Shutterstock / Brazhyk)

A new malware scam has been detected that looks to capitalize on curiosity about the upcoming Windows 11 release, cybersecurity researchers has found.

Analysts at security company Anomali looked at six macro code-laced Microsoft Word documents, which all tricked users into downloading a JavaScript backdoor that can then be used by the attacker to deliver any malicious payload.

Anomali believes that the backdoor resembles one commonly used by the Eastern European threat group known as FIN7 which is thought to have already cost businesses around a billion dollars.

TechRadar needs you!

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window <<

“While we cannot conclusively identify the attack vector for this activity, our analysis. strongly suggests the attack vector was an email phishing or spear-phishing campaign,” note the researchers. 

POS attack

According to the report, upon opening, the tainetd documents show Windows 11 imagery with text suggesting that the document was generated with the newer operating system, which can’t be viewed because of a compatibility issue.

This is in fact a trick to fool users into following the listed instructions to enable macro content, and help the nefarious documents to install the backdoor.

An analysis of the malicious code reveals it is obfuscated to hinder analysis, though the researchers were able to un-jumble it to reveal the trickery.

Interestingly, the script is designed to self-annihilate if it detects the victim’s computer is using Russian or a handful of other Eastern European languages, or has less than 4GB of available memory, or is a virtual machine (VM) instead of a physical computer.

Anomali believes that the attack is designed specifically to target the US-based Clearmind point-of-sale (POS) provider. This further connects the attack to the FIN7 group, which has attacked Clearmind in the past as well. 

“As a California-based provider of POS technology for the retail and hospitality sector, a successful infection would allow the group to obtain payment card data and later sell the information on online marketplaces,” share the researchers.

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.