A novel phishing attack deploys a first-stage malware payload that allows attackers to take screenshots of victims to determine the value and whether to deploy additional malware. Researchers said over 1,000 organizations in the U.S. and Germany have been targeted in the attacks. They add the campaign is unique because of the malware tools used in the attacks.
Proofpoint Threat Research, which released a report on the campaigns Wednesday, attribute the campaigns to the advanced persistent threat group TA866. Researchers said the attacks are financially motivated and dubbed the campaign Screentime because of its use screenshot technology as part of the attack chain.
Proofpoint said it considers the attack chain novel because it uses malware tools previously not observed in the threat landscape and that adversaries are conducting reconnaissance on a host machine via what is called Screenshotter malware before delivering a follow-on payload.
The attackers, researchers said, use both commodity and custom tools to leverage screenshots before installing additional bot and stealer malware. The attack chain starts with an email containing a malicious attachment or URL and gets followed by malware Proofpoint calls WasabiSeed and Screenshotter.
The researchers said they observed post-exploitation activity that involved AHK Bot and Rhadamanthys Stealer. Proofpoint first observed TA866 in October 2022 and the campaign has continued into 2023. On Jan. 23 and 24, Proofpoint observed tens of thousands of email messages targeting more than 1,000 organizations.
The researchers said it’s also unique in that recently observed activity appears to be financially motivated and aligns with cybercrime objectives, while historic activity from TA866 overlaps with state-sponsored espionage activities. Screentime has been exploited in the wild and Proofpoint said they observed multiple campaigns using the same attack chain.
“TA866 spends time trying to figure out whether a target is worth additional payloads by using Screenshotter to take photos of a user’s screen and reviews them manually before deciding to deliver additional malware, the researchers told SC Media via an email.
Fishing for a juicy target
“Clearly, there’s some level of value a user must meet before being deemed worthy of another payload. And while recent activity appears financially motivated, some historic activity overlaps with what we call TA866 suggests an espionage focus, too,“ Proofpoint said.
In terms of the threat actors origins, the researchers told SC Media that there are artifacts observed in the attack chain, including Russian language in the code and work hours analysis that align with a typical 9-to-5 workday in time zones that include Russia, as well as other countries. However, Proofpoint said these factors alone are not enough to associate with high confidence to a state sponsor or geography.
John Bambenek, principal threat hunter at Netenrich, added that at its core, a phishing email that ultimately delivers malware isn’t a new technique, but in recent years, even cybercriminals are investing in the level of research that previously was only done by APTs. Bambenek said attackers know the more precise their techniques and tools are, the more likely they are to achieve significant financial results.
“Certainly email protection is important, especially to vendors that follow a chain of events after an email,” Bambenek said. “Attackers just aren’t emailing .exe’s so getting malware on a victim is a multi-step process and each step represents its own opportunity for protection.”
Proofpoint added that for a compromise to succeed, a user has to click on a malicious link and, if successfully filtered, interact with a JavaScript file to download and run additional payloads. “Organizations should educate end users about this technique and encourage users to report suspicious emails and other activities,” said the researchers.