A new malware (opens in new tab) scam has been detected that looks to capitalize on curiosity about the upcoming Windows 11 release, cybersecurity researchers has found.
Analysts at security company Anomali looked at six macro code-laced Microsoft Word (opens in new tab) documents, which all tricked users into downloading a JavaScript (opens in new tab) backdoor that can then be used by the attacker to deliver any malicious payload.
Anomali believes that the backdoor resembles one commonly used by the Eastern European threat group known as FIN7 which is thought to have already cost businesses around a billion dollars (opens in new tab).
- We've put together a list of the best endpoint protection (opens in new tab) software
- Check our list of the best firewall apps and services (opens in new tab)
- Here's our choice of the best malware removal (opens in new tab) software on the market
“While we cannot conclusively identify the attack vector for this activity, our analysis. strongly suggests the attack vector was an email phishing (opens in new tab) or spear-phishing campaign,” note (opens in new tab) the researchers.
POS attack
According to the report, upon opening, the tainetd documents show Windows 11 imagery with text suggesting that the document was generated with the newer operating system, which can’t be viewed because of a compatibility issue.
This is in fact a trick to fool users into following the listed instructions to enable macro content, and help the nefarious documents to install the backdoor.
An analysis of the malicious code reveals it is obfuscated to hinder analysis, though the researchers were able to un-jumble it to reveal the trickery.
Interestingly, the script is designed to self-annihilate if it detects the victim’s computer is using Russian or a handful of other Eastern European languages, or has less than 4GB of available memory, or is a virtual machine (VM (opens in new tab)) instead of a physical computer.
Anomali believes that the attack is designed specifically to target the US-based Clearmind point-of-sale (POS) (opens in new tab) provider. This further connects the attack to the FIN7 group, which has attacked Clearmind in the past as well.
“As a California-based provider of POS technology for the retail and hospitality sector, a successful infection would allow the group to obtain payment card data and later sell the information on online marketplaces,” share the researchers.
- Protect your devices with these best antivirus software (opens in new tab)