Anomali Threat Research, a security research firm, has issued a warning about a malicious Microsoft Word document (maldoc), six of which have been discovered, that is masquerading as a document "made on Windows 11 Alpha." The name of the file is "Users-Progress-072021-1.doc".
Most people familiar with the Windows 11 builds and their variations would probably be aware of such a thing never existing. However, people out of the loop may fall for this and decide to run the file as they might have heard all the commotion about the next-gen Windows OS.
The maldoc uses VBA (Visual Basic for Application) macros to drop a JavaScript payload upon successful exploitation. The macro is executed when the user clicks on "Enable editing" and "Enable content" as instructed on the document"s cover.
There is a lot of junk data so as to make analysis difficult for researchers and cybercrime hunters but cleaning up much of it reveals how the threat actors wish to infect a system with this document.
For example, there are several checks the maldoc performs, like:
- language
- checking for VM
- memory capacity check
- and a domain called CLEARMIND
CLEARMIND is apparently the domain of a Point-of-Sale (POS) service provider for the retail and hospitality sector. Anomali believes this file has been created by the FIN7 group which is famous for striking such targets to steal large-scale data.
More technical details on the maldoc can be found in the official blog post here.