“Made on Windows 11 Alpha” Microsoft Word Documents Are Actually Malware in Disguise

Anomali Threat Research, a security research company, has issued a warning regarding a malicious Microsoft Word document (maldoc), six of which have been discovered, which masquerades as a document “made on Windows 11 Alpha”. The name of the file is “Users-Progress-072021-1.doc”.

Most people familiar with versions of Windows 11 and their variants would probably be aware that such a thing would never exist. However, people outside the loop may fall for the trap and decide to run the file because they may have heard all the fuss about the next generation Windows operating system.

The maldoc uses VBA (Visual Basic for Application) macros to remove a JavaScript payload upon successful exploitation. The macro is executed when the user clicks “Enable Editing” and “Enable Content” as shown on the cover of the document.

There is a lot of unwanted data in order to make analysis difficult for researchers and cybercrime hunters, but cleaning up much of it reveals how threat actors wish to infect a system with this document.

For example, there are several checks that maldoc performs, such as:

  • Tongue
  • VM verification
  • checking memory capacity
  • and a domain called CLEARMIND

CLEARMIND is apparently the domain of a point of sale (POS) service provider for the retail and hospitality industry. Anomali believes this file was created by the FIN7 group, famous for hitting such targets in order to steal large-scale data.

More technical details on the maldoc can be found in the official blog here.

Source link

Comments are closed.