Hackers Targeting U.S. Firms Monitor Victims' Desktops with Screenshotter
A previously unknown threat actor has been targeting companies in the U.S. and Germany with bespoke malware designed to steal confidential information.
Enterprise security company Proofpoint, which is tracking the activity cluster under the name Screentime, said the group, dubbed TA866, is likely financially motivated.
"TA866 is an organized actor able to perform well thought-out attacks at scale based on their availability of custom tools; ability and connections to purchase tools and services from other vendors; and increasing activity volumes," the company assessed.
A successful reconnaissance phase is followed by the distribution of more malware for post-exploitation, with select attacks deploying an AutoHotKey (AHK)-based bot to drop an information stealer named Rhadamanthys.
Proofpoint said the URLs used in the campaign involved a traffic direction system (TDS) called 404 TDS, enabling the adversary to serve malware only in scenarios where the victims meet a specific set of criteria, such as geography, browser application, and operating system.
The origins of TA866 remain unclear as yet, although Russian language variable names and comments have been identified in the source code of AHK Bot, a 2020 variant of which was employed in attacks aimed at Canadian and U.S. banks. The malware is also suspected to have been put to use as far back as April 2019.
"The use of Screenshotter to gather information on a compromised host before deploying additional payloads indicates the threat actor is manually reviewing infections to identify high-value targets," Proofpoint said.
Campaigns mounted by the adversary are said to have commenced around October 3, 2022, with the attacks launched via emails containing a booby-trapped attachment or URL that leads to malware. The attachments range from macro-laced Microsoft Publisher files to PDFs with URLs pointing to JavaScript files.
The intrusions have also leveraged conversation hijacking to entice recipients into clicking on seemingly innocuous URLs that initiate a multi-step attack chain.
Irrespective of the method used, executing the downloaded JavaScript file leads to an MSI installer that unpacks a VBScript dubbed WasabiSeed, which functions as a tool to fetch next-stage malware from a remote server.
One of the payloads downloaded by WasabiSeed is Screenshotter, a utility that's tasked with taking screenshots of the victim's desktop periodically and transmitting that information back to a command-and-control (C2) server.
"This is helpful to the threat actor during the reconnaissance and victim profiling stage," Proofpoint researcher Axel F said.
"It is important to note that in order for a compromise to be successful, a user has to click on a malicious link and, if successfully filtered, interact with a JavaScript file to download and run additional payloads."
The findings come amid a spike in threat actors trying out new ways to execute code on targets' devices after Microsoft blocked macros by default in Office files downloaded from the internet.
This includes the use of search engine optimization (SEO) poisoning, malvertising, and brand spoofing to distribute malware by packaging the payloads as popular software such as remote desktop apps and online meeting platforms.
Furthermore, rogue ads on Google search results are being used to redirect unsuspecting users to fraudulent credential phishing websites that are designed to steal Amazon Web Services (AWS) logins, according to a new campaign documented by SentinelOne.
"The proliferation of malicious Google Ads leading to AWS phishing websites represents a serious threat to not just average users, but network and cloud administrators," the cybersecurity company said.
"The ease with which these attacks can be launched, combined with the large and diverse audience that Google Ads can reach, makes them a particularly potent threat."
Another technique that has witnessed a surge in recent months is the abuse of novel file formats like Microsoft OneNote and Publisher documents for malware delivery.
The attacks are no different from those using other types of malicious Office files, wherein the email recipient is duped into opening the document and clicking on a fake button, which results in the execution of embedded HTA code to retrieve Qakbot malware.
"Email administrators have, over the years, set up rules that either outright prevent, or throw severe-sounding warnings, on any inbound messages originating from outside the organization with a variety of abusable file formats attached," Sophos researcher Andrew Brandt said.
"It looks likely that OneNote .one notebooks will be the next file format to end up on the email-attachment chopping block, but for now, it remains a persistent risk."