Watch Out for New Phishing Campaign – Windows 11 Alpha

Windows 11 Alpha

The “Windows 11 Alpha” phishing campaign has been created to take advantage of many businesses and private users who have recently heard of Microsoft’s new operating system. Tricking the users into activating malicious code on their PCs – this campaign takes advantage of users’ ignorance surrounding Windows 11.

How do they do it?

A Word document has been created claiming to be made with “Windows 11 Alpha” which lures users in and pushes them to perform steps to open it. The instructions in the document are designed to trick recipients into disabling security features to make the “Windows 11 Alpha” generated document compatible with operating systems. This isn’t the case, but many people won’t be aware of that as there are instances in which people need to convert genuine Word documents to make them compatible. Many people are used to following prompts that look like those in this phishing campaign.

The idea behind this attack is that if the code is activated, it could be used to steal people’s financial information. Disabling the PCs security features allows a macro to run which downloads a JavaScript package that allows hackers to completely take over the user’s PC.

Who is behind it?

Researchers at Cyber Security company Anomali analysed six similar documents and say that the delivered backdoor appears to be a variation of a payload commonly used by the FIN7 group since at least 2018. The hack appears to be targeting payment processing companies — FIN7 has previously caused billions in damages by stealing millions of payment records from various organisations.

Anomali researchers found that a hidden table in the document performs language checks on the infected computer.  If certain languages are detected, the table with the encoded values is removed which immediately stops the malicious activity. The code also looks for the domain “Clearmind”, which appears to refer to a point-of-sale (PoS) provider.

FIN7 have been around since at least 2013 but became known on a larger scale since 2015. Some of the members have been arrested and sentenced but attacks and phishing campaigns continue to be linked to the group.

What to do next?

It goes without saying that any emails referencing Windows 11 Alpha should not be opened and should be deleted. If you have any concerns related to email security, please reach out to us.

Share on facebook
Share on twitter
Share on linkedin
Share on whatsapp