Rewterz Threat Alert – FIN7 Using Windows 11 Alpha-Themed Docs to Drop Javascript Backdoor

Severity

High

Analysis Summary

European group Fin7 has been active since 2015 and continuously targeting various industries around the world and especially United States (US)-based companies. This European group is most famous in cybercrime group and has been credited with the theft of over 15 million payments cards records that cost organizations around the world approximately one billion (USD) dollars in lossess.Fin7 compromised networks of 47 states District of Columbia by stealing their complete financial information such as debit card data they can also steal sensitive information of victims and sell them in underground markets. Fin7 is also referred as Carbanak,Gold Niagara,Calcium.

Impact

• Information Theft and Espionage
• Credential Theft
• Exposure of Sensitive Data
• Unauthorized Access

Indicators of Compromise

Domain Name

• Users-Progress-072021-1[.]lnk

IP

• 85[.]14[.]253[.]178

MD5

• dc7c07bac0ce9d431f51e2620da93398
• d17f58c6c9771e03342cdd33eb32e084
• ad4a6a0ddeacdf0fc74c3b45b57a1316
• de14cf1e58d288187680f5938e2250df
• d60b6a8310373c9b84e6760c24185535
• 72149bbd364326618df00dc6b0e0b4c4
• 0d12e8754adacc645a981426e69b91ec
• 8f5302dafa90958117cbee992a0e09a9
• f4c77f40e325a420be4660370a97158c
• ce80bf89bbc800547039844d400ab27c
• 41c48b16a01f0322b4e851aa4e1c4e0e

SHA-256

• 71832696f8efa5ea83ffd5cf0af981ea931297b4679e71990afd6bac350d31fe
• 54116752c7b9c219dbf461ccab96573a2973784dc2c1bc858fe696d09ecd058c
• bddcb2e75e414b3a489d53f8cda1a21b043af7e7758998b17659c1938594d2ca
• 747cb5cbaa00b9850f9064b43ddb6de298d8058cf54f538af18366b22ece7fde
• ef0a68eb3e2998acdd5fdce8acd980ea9077c44fefced848a36805690844ae37
• 262f38e1d3bb10021c1b23ea48fcd77010b0bdddbbd5b8df64f570f16ffb2caa
• 6321c30fbd2e7d9d965750ec961766908980f69e946fa3ad97ed7f0d998fa46f
• 820df29031263bbbcc9f80ff560ddb478060c771318b2a7e74f87946e13d6f9b
• 8a392ab0f0ab1244dedc52fb1f99a2cf06f50766c0a75f1c4236375290be56d3
• 8cbf62b382ea5e4fecde4a6fb376014ad2aacfa0296df205a1a6ab1d2f5de3d5
• be88e29f703a60a139b2eb5593b5ae22b7afea2469308197505c6c862d5d16c9

SHA-1

• 895cbed43d27d42e7a021eb7a7f811f58896d8c7
• 25fadbc01eaa53b1d34fb5169f84a33901dfeed7
• 282c431963a312d65a73ba2147c7980eb493f1ca
• 42198262e8a6df03a9673888b509814cc36d777b
• 6b1da5e0ecda14512369a7201982a6bc13b33700
• ef878e44108b4b9103a32ecf7aae95e3e580e309
• f411bc0e65d7eebd9f7cff4e3417d7bc07df0279
• 7c39c0f7f4e757fe1548262ddd106b392f1d8bf7
• 6f6af41c3c5f6d8b5d0a804a443292438b2b478d
• 59fcfbfa399857d31b5a253b8ee53a29c65ba243
• 7c8801aa9d43631d25ed5250778d1b4112c4f608

Domain Name

• https[:]//bypassociation[.]com
• https[:]//bypassociation[.]com/images/sync?type=name
• https[:]//bypassociation[.]com/new?type=name
• https[:]//bypassociation[.]com/pictures/hide?type=name
• https[:]//bypassociation[.]com/pictures/show?type=name
• https[:]//bypassociation[.]com/images/hide?type=name
• https[:]//bypassociation[.]com/img/hide?type=name
• https[:]//bypassociation[.]com/img/add?type=name
• https[:]//bypassociation[.]com/images/add?type=name
• https[:]//bypassociation[.]com/info/hide?type=name

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your environment.