Hackers Targeting U.S. and German Firms Monitor Victims’ Desktops with Screenshotter

A previously unknown threat actor has been targeting companies
in the U.S. and Germany with bespoke malware designed to steal
confidential information.

Enterprise security company Proofpoint, which is tracking the
activity cluster under the name Screentime, said
the group, dubbed TA866, is likely financially
motivated.

“TA866 is an organized actor able to perform well thought-out
attacks at scale based on their availability of custom tools;
ability and connections to purchase tools and services from other
vendors; and increasing activity volumes,” the company assessed^[1].

Campaigns mounted by the adversary are said to have commenced
around October 3, 2022, with the attacks launched via emails
containing a booby-trapped attachment or URL that leads to malware.
The attachments range from macro-laced Microsoft Publisher files to
PDFs with URLs pointing to JavaScript files.

The intrusions have also leveraged conversation hijacking to
entice recipients into clicking on seemingly innocuous URLs that
initiate a multi-step attack chain.

Irrespective of the method used, executing the downloaded
JavaScript file leads to an MSI installer that unpacks a VBScript
dubbed WasabiSeed, which functions as a tool to fetch next-stage
malware from a remote server.

One of the payloads downloaded by WasabiSeed is Screenshotter, a
utility that’s tasked with taking screenshots of the victim’s
desktop periodically and transmitting that information back to a
command-and-control (C2) server.

“This is helpful to the threat actor during the reconnaissance
and victim profiling stage,” Proofpoint researcher Axel F said.

A successful reconnaissance phase is followed by the
distribution of more malware for post-exploitation, with select
attacks deploying an AutoHotKey (AHK)-based bot to drop an
information stealer named Rhadamanthys^[2].

Proofpoint said the URLs used in the campaign involved a traffic
direction system (TDS^[3]) called 404 TDS,
enabling the adversary to serve malware only in scenarios where the
victims meet a specific set of criteria, such as geography, browser
application, and operating system.

The origins^[4]
of TA866 remain unclear as yet, although Russian language variable
names and comments have been identified in the source code of AHK
Bot, a 2020 variant of which was employed in attacks aimed at
Canadian and U.S. banks^[5]. The malware is also
suspected to have been put to use as far back as^[6]
April 2019^[7].

“The use of Screenshotter to gather information on a compromised
host before deploying additional payloads indicates the threat
actor is manually reviewing infections to identify high-value
targets,” Proofpoint said.

“It is important to note that in order for a compromise to be
successful, a user has to click on a malicious link and, if
successfully filtered, interact with a JavaScript file to download
and run additional payloads.”

The findings come amid a spike in threat actors trying^[8]
out^[9]
new ways^[10] to execute code on
targets’ devices after Microsoft blocked macros^[11] by default in Office
files downloaded from the internet.

This includes the use of search engine optimization (SEO)
poisoning, malvertising, and brand spoofing to distribute malware
by packaging the payloads as popular software such as remote
desktop apps and online meeting platforms.

Furthermore, rogue ads^[12] on Google search
results are being used to redirect unsuspecting users to fraudulent
credential phishing websites that are designed to steal Amazon Web
Services (AWS) logins, according to a new campaign documented by
SentinelOne.

“The proliferation of malicious Google Ads leading to AWS
phishing websites represents a serious threat to not just average
users, but network and cloud administrators,” the cybersecurity
company said^[13].

“The ease with which these attacks can be launched, combined
with the large and diverse audience that Google Ads can reach,
makes them a particularly potent threat.”

Another technique that has witnessed a surge^[14] in recent months is the
abuse of novel file formats like Microsoft OneNote and Publisher
documents for malware delivery.

The attacks are no different from those using other types of
malicious Office files, wherein the email recipient is duped into
opening the document and clicking on a fake button, which results
in the execution of embedded HTA code to retrieve Qakbot
malware.

“Email administrators have, over the years, set up rules that
either outright prevent, or throw severe-sounding warnings, on any
inbound messages originating from outside the organization with a
variety of abusable file formats attached,” Sophos researcher
Andrew Brandt said^[15].

“It looks likely that OneNote .one notebooks will be the next
file format to end up on the email-attachment chopping block, but
for now, it remains a persistent risk.”