Cybercrime Group FIN7 Using Windows 11 Alpha-Themed Docs to Drop Javascript Backdoor

Authored by: Gage Mele, Tara Gould, Rory Gould, and Sean Townsend <h2>Key Findings</h2> <ul> <li>Anomali Threat Research discovered six malicious Windows 11 Alpha-themed Word documents with Visual Basic macros being used to drop JavaScript payloads, including a Javascript backdoor.</li> <li>While we cannot conclusively identify the attack vector for this activity, our analysis. strongly suggests the attack vector was an email phishing or spearphishing campaign.</li> <li>We assess with moderate confidence that the financially motivated threat group FIN7 is responsible for this campaign.</li> <li>Based on the file names observed in this campaign, the activity likely took place around late-June to late-July 2021.</li> </ul> <h2>Overview</h2> Anomali Threat Research conducted analysis on malicious Microsoft Word document (.doc) files themed after Windows 11 Alpha and assess with moderate confidence that these Word documents were part of a campaign conducted by the threat group FIN7. The group’s goal appears to have been to deliver a variation of a JavaScript backdoor used by FIN7 since at least 2018.[1] <h3>FIN7</h3> FIN7 is an Eastern European threat group that has been active since at least mid-2015. They primarily target United States (US)-based companies across various industries but also operate on a global scale. The group is one of the world’s most notorious cybercrime groups and has been credited with the theft of over 15 million payment card records that cost organizations around the world approximately one billion dollars (USD) in losses.[2] In the US alone, the group has targeted over 100 companies and compromised the networks of organizations in 47 states and the District of Columbia.[3] While FIN7’s primary objective is to directly steal financial information, such as credit and debit card data, they will also steal sensitive information to sell on underground marketplaces. There has been a concerted attempt by law enforcement to tackle the group, including the arrest of three members arrested August 2018 and a high-level organizer in April 2021.[4] Despite these personnel losses and media attention, the group has continued a steady stream of documented activity since at least 2015.[5] In early 2021, FIN7 was identified as gaining illicit access to a law firm’s network by using a fake legal complaint themed around Brown-Forman Inc., the parent company of Jack Daniels whiskey.[6] <h3>Related Groups</h3> FIN7 is closely associated with the threat group referred to as “Carbanak,” with the two groups sharing a significant number of TTPs including the use of the Carbanak backdoor.[7] As such, news media and some intelligence vendors use the names interchangeably. To add to the confusion, different vendors will use their own naming conventions for each group that include: FIN7 - Carbon Spider (Crowdstrike), Gold Niagara (Secureworks), Calcium (Symantec) Carbanak - Carbon Spider (Crowdstrike), Anunak (Group-IB) Trend Micro released a report in April 2021 outlining the differences in TTPs between the two groups and MITRE also track the two groups separately.[8] For clarity, we will treat FIN7 and Carbanak as separate groups; the main distinction being FIN7 focuses on hospitality and retail sectors, while Carbanak targets banking institutions. <h2>Technical Analysis</h2> <h3>Word Document</h3> MD5 d60b6a8310373c9b84e6760c24185535 File name Users-Progress-072021-1.doc The infection chain began with a Microsoft Word document (.doc) containing a decoy image claiming to have been made with Windows 11 Alpha. The image asks the user to Enable Editing and Enable Content to begin the next stage of activity, as shown in Figure 1 below. <img alt="Windows 11-Themed Maldoc" src="https://cdn.filestackcontent.com/tHUc1CmLSa598jbyisN5"/> Figure 1 – Windows 11-Themed Maldoc Analyzing the file, we can see a VBA macro populated with junk data as comments, shown in Figure 2. Once the content/editing has been enabled, the macro is executed. <img alt="VBA Macro with Junk Data" src="https://cdn.filestackcontent.com/IIMWu1DySx2ImOFu87Xx"/> Figure 2 – VBA Macro with Junk Data Junk data is a common tactic used by threat actors to impede analysis. Once we remove this junk data, we are left with a VBA macro, as shown in Figure 3 below. <img alt="VBA Macro without Junk Data" src="https://cdn.filestackcontent.com/M4AUP1v8S7mtAoX6VmVw"/> Figure 3 – VBA Macro without Junk Data The VBScript will take encoded values from a hidden table inside the .doc file, shown in Figure 4. <img alt="Values and Key from Hidden Table" src="https://cdn.filestackcontent.com/y2mA951RQ4yku6N6LXZI"/> Figure 4 – Values and Key from Hidden Table The values are deciphered with the function shown in Figure 5. <img alt="Decoding Function in VBScript" src="https://cdn.filestackcontent.com/zPslyv0BQHycm1SOcOHG"/> Figure 5 – Decoding Function in VBScript The values from the table are deobfuscated using an XOR cipher. In this sample, the key is “uPHdq3MxjOCfnXB.” <img alt="VBA Decoding Function Ported into Python" src="https://cdn.filestackcontent.com/2Oi3MjyROG7vud0QEPv7"/> Figure 6 – VBA Decoding Function Ported into Python After deobfuscating the VBA macro, using the script shown in Figure 6, we can see what is occurring in the code. <img alt="Checks Carried Out" src="https://cdn.filestackcontent.com/EFzAfKEPRAKlDKkPBYrd"/> Figure 7 – Checks Carried Out Shown in Table 1 are the language checks carried out. Table 1 – Language checks <table class="table table-striped"> <thead> <tr> <th scope="col">Code</th> <th scope="col">Language</th> </tr> </thead> <tbody> <tr> <td>1049</td> <td>Russian</td> </tr> <tr> <td>1058</td> <td>Ukrainian</td> </tr> <tr> <td>2073</td> <td>Russian-Moldova</td> </tr> <tr> <td>1070</td> <td>Sorbian</td> </tr> <tr> <td>1051</td> <td>Slovak</td> </tr> <tr> <td>1060</td> <td>Slovenian</td> </tr> <tr> <td>1061</td> <td>Estonian</td> </tr> <tr> <td>3098</td> <td>Serbian</td> </tr> <tr> <td>2074</td> <td>Serbian (Latin)</td> </tr> </tbody> </table> If these languages are detected, the function me2XKr is called which deletes the table and stops running. <img alt="VM Checks" src="https://cdn.filestackcontent.com/ffILTGVFRLuc8bXl2w84"/> Figure 8 – VM Checks The script checks for Virtual Machines, as shown in Figure 8, and if detected it stops running. <img alt="Domain Check" src="https://cdn.filestackcontent.com/iqpQ4s2ASxKw2nqkBjbm"/> Figure 9 – Domain Check Shown in Figure 9, the script checks for the domain CLEARMIND, which appears to refer to the domain of a Point-of-Sale (POS) service provider. The checks include: <ul> <li>Domain name, specifically CLEARMIND (Figure 9)</li> <li>Language, if any of the languages listed in Table 1</li> <li>Reg Key Language Preference for Russian</li> <li>Virtual machine - VMWare, VirtualBox, innotek, QEMU, Oracle, Hyper and Parallels, if a VM is detected the script is killed (Figure 8)</li> <li>Memory Available, if there is less than 4GB then don’t proceed</li> <li>Check for RootDSE via LDAP</li> </ul> If the checks are satisfactory, the script proceeds to the function where a JavaScript file called word_data.js is dropped to the TEMP folder. However, if the language and VM checks are detected, the table deletes itself and does not proceed to the JavaScript payload. This JavaScript file is also full of junk data, as shown in Figure 10 below. <img alt="JavaScript File (word_data.js) with Junk Data" src="https://cdn.filestackcontent.com/mIjwNnFSzCiOp3hVdcXk"/> Figure 10 – JavaScript File (word_data.js) with Junk Data Once again, we removed the junk data to analyze the JavaScript, which we can see contains obfuscated strings, shown in Figure 11. <img alt="JavaScript Function without Junk Data" src="https://cdn.filestackcontent.com/9W5IsypHRk6KHeVuvOV6"/> Figure 11 – Example JavaScript Function without Junk Data The JavaScript file also contains a deobfuscation function which is shown in Figure 12 below. <img alt="JavaScript Snippet Containing the XOR Function" src="https://cdn.filestackcontent.com/w5LYNmyxQdCrMqqpLHOq"/> Figure 12 – JavaScript Snippet Containing the XOR Function Analyzing the XOR cipher function, ‘ben9qtdx4t’ is the key used to decrypt the strings in the JavaScript file (word_data.js). The obfuscation is carried out using a substitution cipher that goes from A through K, displayed in Table 2 below. Table 2 – Substitution Cipher <table class="table table-striped"> <tbody> <tr> <th scope="row">Key</th> <td>A</td> <td>B</td> <td>C</td> <td>D</td> <td>E</td> <td>F</td> <td>G</td> <td>H</td> <td>I</td> <td>J</td> <td>K</td> </tr> <tr> <th scope="row">Code</th> <td>0</td> <td>1</td> <td>2</td> <td>3</td> <td>4</td> <td>5</td> <td>6</td> <td>7</td> <td>8</td> <td>9</td> <td>,</td> </tr> </tbody> </table> <img alt="Deobfuscated Strings" src="https://cdn.filestackcontent.com/Sx45NASXRcqxEIqKs2PZ"/> Figure 13 – Deobfuscated Strings After replacing the obfuscated values with the deobfuscated strings, the Javascript backdoor appears to have similar functionality with other backdoors reportedly used by FIN7.[9] <img alt="First Connection" src="https://cdn.filestackcontent.com/5GunY6Y8RmuOIv8nylhD"/> Figure 14 – First Connection A connection is first made to ‘tnskvggujjqfcskwk.com,’ (Figure 14) and based on the response, a connection is then made to ‘bypassociation[.]com.’ This address is created by picking values from each array (Figure 15) at random. <img alt="Path and Arrays" src="https://cdn.filestackcontent.com/my8phvqsQ3Xciz1cAWgs"/> Figure 15 – Path and Arrays After connecting to the bypassociation[.]com address, the script checks for an active IP to retrieve the MAC address and DNSHostName (Figure 16), which are then submitted via a POST request to the bypassociation address. <img alt="MAC address and DNSHostName" src="https://cdn.filestackcontent.com/Le0gIhSQgm0gHUrtfoxl"/> <img alt="MAC address and DNSHostName" src="https://cdn.filestackcontent.com/7Y7R9UbtSmOJK4S7U3pz"/> Figure 16 – eq5w0 = xgq86 + z897r8d, aka the MAC address and DNSHostName are appended to the data sent Based on the response, further Javascript is executed, as shown in Figure 17. <img alt="Javascript Execution" src="https://cdn.filestackcontent.com/upE0QTfTParwGbsp6jtg"/> Figure 17 – Javascript Execution <h2>Attribution</h2> <ul> <li>Targeting of a POS provider aligns with previous FIN7 activity</li> <li>The use of decoy doc files with VBA macros also aligns with previous FIN7 activity</li> <li>FIN7 have used Javascript backdoors historically</li> <li>Infection stops after detecting Russian, Ukrainian, or several other Eastern European languages</li> <li>Password protected document</li> <li>Tool mark from Javascript file "group=doc700&rt=0&secret=7Gjuyf39Tut383w&time=120000&uid=" follows similar pattern to previous FIN7 campaigns</li> </ul> The specified targeting of the Clearmind domain fits well with FIN7’s preferred modus operandi. As a California-based provider of POS technology for the retail and hospitality sector, a successful infection would allow the group to obtain payment card data and later sell the information on online marketplaces. The US Department of Justice calculates that as of 2018 FIN7 was responsible for stealing over 15 million card records from 6,500 POS terminals.[10] The use of a JavaScript backdoor is also primarily associated with FIN7 and is a common feature within its campaigns.[11] It is worth noting that Carbanak has also been known to use Javascript payloads but, as this targets retail and health POS systems, it aligns with FIN7 activity. While not providing solid attribution, the language check function and table it scores against indicate a likely geographic location for the creator of this malicious doc file. It is accepted as an almost unofficial policy that cybercriminals based in the Commonwealth of Independent States (CIS) are generally left alone, provided they do not target interests or individuals within their respective borders, ergo the VBA macro checking the target system language against a list including common CIS languages which will terminate the infection if found to match. The addition of Sorbian, a minority German Slavic language, Estonian, Slovenian and Slovak are unusual additions as these would not be languages considered for exclusion but would be considered ‘fair game.’ It is worth noting that REvil ransomware also includes these languages in their exclusion tables, a group that is believed to work with FIN7.[12] <h2>Conclusion</h2> FIN7 is one of the most notorious financially motivated groups due to the large amounts of sensitive data they have stolen through numerous techniques and attack surfaces. Things have been turbulent for the threat group over the past few years as with success and notoriety comes the ever-watchful eye of the authorities. Despite high-profile arrests and sentencing, including alleged higher-ranking members, the group continues to be as active as ever.[13] US prosecutors believe the group numbers around 70 individuals, meaning the group can likely accommodate these losses as other individuals will step in.[14] Targeting infrastructure appears to be a more successful method of stopping or delaying these actors. <h2>Endnotes</h2> [1] Kremez, Vitali. 2018. Let's Learn: In-Depth Review of FIN7 VBA Macro & Lightweight JavaScript Backdoor. November 28. Accessed 8 18, 2021. https://www.vkremez.com/2018/11/in-depth-review-of-fin7-vba-macro.html. [2] ESentire. 2021. Notorious Cybercrime Gang, FIN7, Lands Malware in Law Firm Using Fake Legal Complaint Against Jack Daniels’ Owner, Brown-Forman Inc. July 21. Accessed August 17, 2019. https://www.esentire.com/security-advisories/notorious-cybercrime-gang-fin7-lands-malware-in-law-firm-using-fake-legal-complaint-against-jack-daniels-owner-brown-forman-inc. [3] Department of Justice. 2018. Three Members of Notorious International Cybercrime Group “Fin7” In Custody for Role in Attacking Over 100 U.S. companies. August 1. Accessed August 19, 2019. https://www.justice.gov/opa/pr/three-members-notorious-international-cybercrime-group-fin7-custody-role-attacking-over-100. [4] Ibid; Department of Justice. 2021. High-level organizer of notorious hacking group FIN7 sentenced to ten years in prison for a scheme that compromised tens of millions of debit and credit cards . April 16. Accessed August 17, 2021. https://www.justice.gov/usao-wdwa/pr/high-level-organizer-notorious-hacking-group-fin7-sentenced-ten-years-prison-scheme. [5] Carr, Goody, Miller and Vengerik, On the Hunt. [6] ESentire, Notorious Cybercrime Gang. [7] Carr, Goody, Miller and Vengerik, On the Hunt. [8] Trend Micro. 2021. Carbanak and FIN7 Attack Techniques. April 20. Accessed August 17, 2021. https://www.trendmicro.com/en_gb/research/21/d/carbanak-and-fin7-attack-techniques.html. [9] SentinelOne. 2019. Deep Insight into “FIN7” Malware Chain: From Office Macro Malware to Lightweight JS Loader. October 3. Accessed August 19, 2021. https://labs.sentinelone.com/fin7-malware-chain-from-office-macro-malware-to-lightweight-js-loader/. [10] Department of Justice, Three Members. [11] Kaspersky. 2019. FIN7.5: the infamous cybercrime rig “FIN7” continues its activities. May 8. Accessed August 17, 2021. https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/. [12] Counter Threat Unit Research Team. 2019. REvil/Sodinokibi Ransomware. September 24. Accessed August 24, 2021. https://www.secureworks.com/research/revil-sodinokibi-ransomware; Singleton, Camille, Christopher Kiefer, and Ole Villadsen. 2020. Ransomware 2020: Attack Trends Affecting Organizations Worldwide. September 28. Accessed August 24, 2021. https://securityintelligence.com/posts/ransomware-2020-attack-trends-new-techniques-affecting-organizations-worldwide/. [13] Department of Justice, High-level organizer. [14] Ibid. <h2>IOCs</h2> <table class="table table-striped"> <thead> <tr> <th scope="col">Filename</th> <th scope="col">Hash</th> </tr> </thead> <tbody> <tr> <td>Clients-Current_state-062021-0.doc</td> <td>dc7c07bac0ce9d431f51e2620da93398</td> </tr> <tr> <td>Clients-Progress-072021-7.doc</td> <td>d17f58c6c9771e03342cdd33eb32e084</td> </tr> <tr> <td>Clients-State-072021-4.doc</td> <td>ad4a6a0ddeacdf0fc74c3b45b57a1316</td> </tr> <tr> <td>Customers-State-072021-3.doc</td> <td>de14cf1e58d288187680f5938e2250df</td> </tr> <tr> <td>Clients-State-072021-4.doc</td> <td>ad4a6a0ddeacdf0fc74c3b45b57a1316</td> </tr> <tr> <td>Users-Progress-072021-1.doc</td> <td>d60b6a8310373c9b84e6760c24185535</td> </tr> <tr> <td>Users-Progress-072021-1.lnk</td> <td>72149bbd364326618df00dc6b0e0b4c4</td> </tr> <tr> <td>word_data.bin/word_data.js</td> <td>0d12e8754adacc645a981426e69b91ec</td> </tr> <tr> <td>word_data.bin/word_data.js</td> <td>8f5302dafa90958117cbee992a0e09a9</td> </tr> <tr> <td>word_data.bin/word_data.js</td> <td>f4c77f40e325a420be4660370a97158c</td> </tr> <tr> <td>word_data.bin/word_data.js</td> <td>ce80bf89bbc800547039844d400ab27c</td> </tr> <tr> <td>word_data.bin/word_data.js</td> <td>41c48b16a01f0322b4e851aa4e1c4e0e</td> </tr> </tbody> </table> <h3>IP Address</h3> 85.14.253.178 <h3>Domains</h3> tnskvggujjqfcskwk[.]com https://bypassociation[.]com https://bypassociation[.]com/images/sync?type=name https://bypassociation[.]com/new?type=name https://bypassociation[.]com/pictures/hide?type=name https://bypassociation[.]com/pictures/show?type=name https://bypassociation[.]com/images/hide?type=name https://bypassociation[.]com/img/hide?type=name https://bypassociation[.]com/img/add?type=name https://bypassociation[.]com/images/add?type=name https://bypassociation[.]com/info/hide?type=name <h2>MITRE ATT&CK</h2> <table class="table table-striped"> <thead> <tr> <th scope="row">Technique</th> <th scope="col">ID</th> <th scope="col">Name</th> </tr> </thead> <tbody> <tr> <th scope="row">Execution</th> <td>T1059.005</td> <td>Command and Scripting Interpreter: Visual Basic</td> </tr> <tr> <th scope="row"> </th> <td>T1059.007</td> <td>Command and Scripting Interpreter: Javascript</td> </tr> <tr> <th scope="row"> </th> <td>T1204.002</td> <td>User Execution: Malicious File</td> </tr> <tr> <th scope="row"> </th> <td>T1047</td> <td>Windows Management Instrument</td> </tr> <tr> <th scope="row">Defense Evasion</th> <td>T1140</td> <td>Deobfuscate/Decode Files or Information</td> </tr> <tr> <th scope="row"> </th> <td>T1027</td> <td>Obfuscated Files or Information</td> </tr> <tr> <th scope="row"> </th> <td>T1497</td> <td>Virtualization/Sandbox Evasion</td> </tr> <tr> <th scope="row"> </th> <td>T1497.001</td> <td>Virtualization/Sandbox: System Checks</td> </tr> <tr> <th scope="row">Discovery</th> <td>T1087.002</td> <td>Account Discovery: Domain Account</td> </tr> </tbody> </table> <h2>Appendix</h2>Script for deobfuscating VBA:def fin_decode(list, keyS): keyOrd = [ord(l)for l in keyS] final_list = [] count = 0 for num in list: key_2 = keyOrd[count % len(keyS)] count += 1 final_list.append(str(num - key_2)) finalList = ' '.join(final_list) for n in range(0, len(final_list)): final_list[n] = int(final_list[n]) let = chr(final_list[n]) print(let, end='')Script for deobfuscating the Javascript files:def xor(data, key): dict = {'A': 0, 'B': 1, 'C': 2, 'D': 3, 'E': 4, 'F': 5, 'G': 6, 'H': 7, 'I': 8, 'J': 9, 'K': ","} length = len(key) dictD = [dict[d] for d in data] values = "".join(str(x) for x in dictD) values = values.strip(',') values = values.split(',') d = [int(k) for k in values] key_ord = [ord(m) for m in key] decode = "" count = 0 for i in d: decode += chr(i ^ key_ord[count % length]) count += 1 print(decode)