The activity likely took place around late-June to late-July 2021, based on the file names in this campaign observed by the researchers.
Anomali Threat Research analysis conducted on malicious Microsoft Word documents themed after Windows 11 Alpha, disclosed with moderate confidence that the Word documents were part of a malware campaign conducted by the threat group FIN7.
The attack chain began with a Microsoft Word document (.doc) containing a decoy image claiming to have been made with Windows 11 Alpha. And on analyzing the file, it was discovered to be a VBA macro populated with junk data as comments. Given that junk data is a common tactic used by threat actors to impede analysis, but once this junk data is removed, we are left with a VBA macro.
The VBScript will take encoded values from a hidden table inside the .doc file, an after deobfuscating the VBA macro, language checks carried out. If these languages are detected, the function me2XKr is called which deletes the table and stops running, also the script checks for Virtual Machines, which if detected it stops running as well.
Interestingly, the attack stops after detecting Russian, Ukrainian, or several other Eastern European languages, albeit there is no solid attribution, but the language check function and table it scores against indicate a likely geographic location for the creator of this malicious doc file.
The reason is not far-fetched, as it is an almost unofficial policy that cybercriminals based in the Commonwealth of Independent States (CIS) are generally left alone if they do not target interests or individuals within the respective borders, thus the VBA macro checking the target system language against a list including common CIS languages will terminate the infection when found to match.
However, the addition of Serbian, a minority German Slavic language, Estonian, Slovenian and Slovak remains unusual as these are not languages considered for exclusion but maybe would be considered as a ‘fair game.’