Beware - that Windows 11 document is probably a scam

“Windows 11 Alpha” scam could be the work of notorious threat group

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

A newmalwarescam has been detected that looks to capitalize on curiosity about the upcomingWindows 11release, cybersecurity researchers has found.

Analysts at security company Anomali looked at six macro code-lacedMicrosoft Worddocuments, which all tricked users into downloading aJavaScriptbackdoor that can then be used by the attacker to deliver any malicious payload.

Anomali believes that the backdoor resembles one commonly used by the Eastern European threat group known as FIN7 which is thought to have already cost businesses around abillion dollars.

We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and we’d hugely appreciate if you’d share your experiences with us.

Click here to start the survey in a new window«

“While we cannot conclusively identify the attack vector for this activity, our analysis. strongly suggests the attack vector was anemail phishingor spear-phishing campaign,”notethe researchers.

POS attack

According to the report, upon opening, the tainetd documents showWindows 11imagery with text suggesting that the document was generated with the neweroperating system, which can’t be viewed because of a compatibility issue.

This is in fact a trick to fool users into following the listed instructions to enable macro content, and help the nefarious documents to install the backdoor.

An analysis of the malicious code reveals it is obfuscated to hinder analysis, though the researchers were able to un-jumble it to reveal the trickery.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Interestingly, the script is designed to self-annihilate if it detects the victim’s computer is using Russian or a handful of other Eastern European languages, or has less than 4GB of available memory, or is a virtual machine (VM) instead of a physical computer.

Anomali believes that the attack is designed specifically to target the US-based Clearmindpoint-of-sale (POS)provider. This further connects the attack to the FIN7 group, which has attacked Clearmind in the past as well.

“As a California-based provider of POS technology for the retail and hospitality sector, a successful infection would allow the group to obtain payment card data and later sell the information on online marketplaces,” share the researchers.

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

Anker Nebula Mars 3 review: A powerful and truly portable projector