Cybersecurity Threat Advisory 0062-21: Threat Actors Disguise Malicious Word Files as Windows 11 Documentation
Technical Detail & Additional Information
WHAT IS THE THREAT?
WHY IS IT NOTEWORTHY?
According to the US Department of Justice, FIN7 is responsible for stealing over 15 million card records from 6,500 POS terminals since 2018. Additionally, the group has reported ties to other groups such as Carbanak and the notorious REvil Ransomware gang. This campaign of malicious Word documents creates a backdoor for the threat actors on the compromised machine which then provides the threat actor with full access to the device and the potential to move laterally within the network. Future collaboration with other threat groups such as REvil would allow for the seamless distribution of ransomware or other forms of malware through the backdoor created by this threat.
WHAT IS THE EXPOSURE OR RISK?
WHAT ARE THE RECOMMENDATIONS?
SKOUT recommends the following:
Block the below IOCs on any firewalls:
- Continuously train employees on security awareness and recognizing phishing attacks, as most malicious documents of this nature come via phishing campaigns.
- Ensure antivirus definitions are up to date.
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.