MCP Insights by Mission Critical Partners

Cybersecurity Threat Advisory: Disguised Windows Files and Documentation

Written by Mike Beagles | September 20, 2021

As part of our effort to inform our clients about potential and serious cybersecurity issues, MCP provides advisories about vulnerabilities and exploits that could threaten the operations of their critical communications networks. Sign up to receive these advisories in your inbox as soon as they are released.

Today there is a new critical alert that requires the mission-critical community’s immediate attention.

Advisory Overview

Security researchers have discovered recent attempts by cyberattackers to infect machines with malicious Microsoft Word documents containing VBA macros and JavaScript — their goal is to plant a backdoor and create persistence. These documents are disguised as documentation or information related to the new Windows 11 Alpha release to entice users into interacting. The key recommendation to remediate the threat is to block the indicators of compromise (IOCs) identified in this advisory.

What is the Threat?

Security researchers have moderate confidence in attributing this threat campaign to FIN7, which is a prominent threat group that seems to be financially motivated. FIN7 typically targets U.S.-based companies. The has been known to utilize a variation of JavaScript backdoors since at least 2018, specifically targeting point-of-sale (POS) systems.

The cyberattackers are utilizing the anticipation around the new Windows 11 Alpha release to entice end-users to interact with the specific Word documents, which will be running the VBA macro and JavaScript backdoor on the machine.

Why Is it Noteworthy?

According to the U.S. Department of Justice, FIN7 is responsible for stealing million 15 million credit-card records from 6,500 POS terminals since 2018. Additionally, the group reportedly has ties to other cyberattack groups, such as Carbanak and the notorious REvil ransomware gang. This campaign of malicious Word documents creates a backdoor for cyberattackers on the compromised machine, which then provides them with full access to the device and the potential to move laterally within the network. Future collaboration with other threat groups such as REvil would enable the seamless distribution of ransomware or other forms of malware through the backdoor created by this threat.

What Is the Risk?

This threat can affect any device that supports the use of JavaScript and utilizes the Microsoft Office suite. Additionally, FIN7 is known to target POS systems across multiple industries specifically targeting personal identifiable information (PII) and credit card information. The backdoor created by this threat potentially can lead to a plethora of future compromises.

What are the Recommendations?

MCP recommends the following actions:

  • Block the following IOCs on any firewalls
    • 85.14.253.178
    • tnskvggujjqfcskwk[.]com
    • https://bypassociation[.]com
  • Continuously train employees on security awareness and recognizing phishing attacks, as most malicious documents of this nature come via phishing campaigns.
  • Ensure that antivirus definitions are up to date.

References

For more in-depth information about the recommendations, please visit the following links:

If you are looking for guidance, please reach out. MCP offers a comprehensive cybersecurity solutions suite that is designed specifically for public safety and justice entities and other critical infrastructure organizations, to help them determine their network, data, and application vulnerabilities. We can help you develop a complete cyberattack prevention strategy. Contact us today to learn more.