CyberSecurityBoard
Sponsor Register Login

A Cybercriminal Creates a Malicious Program to Identify Valuable Targets Through Screenshots

A new malicious actor, known as TA886, has been identified by Proofpoint as targeting organizations in the United States and Germany with custom malware. The activity was first discovered in October 2022 and has continued into 2023. It is believed that the threat actor is motivated by financial gain, as they assess the value of the target before proceeding with further intrusion. The attack is initiated through phishing emails containing malicious attachments, such as Microsoft Publisher files with macros, URLs linking to Pub files with macros, or PDFs containing URLs that download dangerous JavaScript files. The emails are written in either English or German, depending on the target. If the recipient clicks on the URL, a multi-step attack chain is triggered, resulting in the download and execution of Screenshotter, a custom malware tool. This tool takes screenshots from the victim's machine and sends them back to the threat actor's server for review. The attackers then manually examine the screenshots to determine if the victim is of value. The stealer loaded in memory is called Rhadamanthys, a malware family that has been seen in underground forums since last summer and is becoming more commonly used in attacks. It is capable of stealing cryptocurrency wallets, credentials, and cookies stored in web browsers, FTP clients, Steam accounts, Telegram and Discord accounts, VPN configurations, and email clients. It can also steal files from the breached system. Proofpoint believes that TA886 is likely a Russian threat actor, based on the presence of Russian language variable names and comments in the code of the AHK Bot loader, as well as the fact that the threat actor is active during times that resemble a regular workday in the UTC+2 or UCT+3 time zone. They have attempted to find overlaps and similarities with past reports describing similar TTPs, but have not been able to make any definitive connections. TA886 attacks are still ongoing, and Proofpoint warns that Active Directory profiling should be a cause of concern, as it could compromise all domain-joined hosts with information-stealing malware.

This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 09 Feb 2023 17:39:02 +0000


Cyber News related to A Cybercriminal Creates a Malicious Program to Identify Valuable Targets Through Screenshots

The New Cybercrime Atlas: A Collaborative Approach to Fighting Digital Crime - The global transition to the digital economy means that the operations of governments, critical infrastructures, businesses, and individuals are now a tightly integrated system of interconnected resources. Cybercrime presents a significant risk to ...
10 months ago Feeds.fortinet.com
How to Know If Someone Screengrabs Your Instagram Story? - Instagram doesn't inform its users when their Story or Reel has been screengrabbed - no matter whether they have millions of followers or just an everyday account - which means their content could go unnoticed if it gets screengrabbed. Once again, ...
1 year ago Hackercombat.com
A Cybercriminal Creates a Malicious Program to Identify Valuable Targets Through Screenshots - A new malicious actor, known as TA886, has been identified by Proofpoint as targeting organizations in the United States and Germany with custom malware. The activity was first discovered in October 2022 and has continued into 2023. It is believed ...
1 year ago Bleepingcomputer.com
How to perform a proof of concept for automated discovery using Amazon Macie | AWS Security Blog - After reviewing the managed data identifiers provided by Macie and creating the custom data identifiers needed for your POC, it’s time to stage data sets that will help demonstrate the capabilities of these identifiers and better understand how ...
2 months ago Aws.amazon.com
5 Valuable Skills Kids Can Gain by Playing Video Games - Video games come in all shapes and sizes and can be very educational for children of all ages. Video games can provide children with valuable skills that can help them in their everyday lives. From problem-solving abilities to self-control, learning ...
1 year ago Welivesecurity.com
Hackers Attack Over 1000 Businesses with Malware that Steals Information and Takes Screenshots - Researchers have warned that a malicious actor has been targeting over a thousand organizations since October with the goal of deploying credential-stealing malware. This attack chain includes a Trojan that takes screenshots of the desktops of ...
1 year ago Csoonline.com
Ambitious Training Initiative Taps Talents of Blind and Visually Impaired - When David Mayne first started looking for a job in cybersecurity, the recruiter at his first-choice company told him no. Mayne had already overcome tremendous hardship, losing his eye and his leg following a severe car accident, then finding a way ...
8 months ago Darkreading.com
Hackers Group Utilizes Screenlogger to Locate Valuable Targets in America and Germany - A recently discovered cybercriminal group, referred to as TA866, has been targeting companies in the United States and Germany with malicious emails containing attachments or URLs that lead to the deployment of custom malware. This campaign, which ...
1 year ago Securityweek.com
From Social Engineering to DMARC Abuse: TA427's Art of Information Gathering - Key takeaways  TA427 regularly engages in benign conversation starter campaigns to establish contact with targets for long-term exchanges of information on topics of strategic importance to the North Korean regime. In addition to using specially ...
8 months ago Proofpoint.com
Microsoft launches Defender Bounty Program with $20,000 rewards - Microsoft has unveiled a new bug bounty program aimed at the Microsoft Defender security platform, with rewards between $500 and $20,000. While higher awards are possible, Microsoft retains sole discretion to determine the final reward amount based ...
1 year ago Bleepingcomputer.com
Who Is Behind Pro-Ukrainian Cyberattacks on Iran? - COMMENTARY. Ukrainian cyber forces have attacked Russian infrastructure and assets almost since the first day of the Russian invasion of Ukraine on Feb. 24, 2022. While its mainstay is denial-of-service attacks that have knocked out the Russian ...
11 months ago Darkreading.com
CVE-2023-28344 - An issue was discovered in Faronics Insight 10.0.19045 on Windows. The Insight Teacher Console application allows unauthenticated attackers to view constantly updated screenshots of student desktops and to submit falsified screenshots on behalf of ...
1 year ago
SIEM agent being used in SilentCryptoMiner attacks | Securelist - The most interesting action in this attack was the implementation of unusual techniques like using an SIEM agent as backdoor, adding the malicious payload to a legitimate digital signature, and hiding directories containing malicious files. The ...
2 months ago Securelist.com
US Privacy Groups Urge Senate Not to Ram Through NSA Spying Powers - Some of the United States' largest civil liberties groups are urging Senate majority leader Chuck Schumer not to pursue a short-term extension of the Section 702 surveillance program slated to sunset on December 31. The more than 20 groups-Demand ...
1 year ago Wired.com
6 Facts About How INTERPOL Fights Cybercrime - Interpol recently celebrated its 100th anniversary, and as it steps into its second century of operation it remains highly relevant as a policing organization of our technical age. Interpol's global cybercrime program is one of four law enforcement ...
6 months ago Darkreading.com
The Persistent Danger of Remcos RAT - From initial infection to persistent control, the Remcos RAT campaign exemplifies the evolving nature of cyber threats and the need for proactive defense measures. This ecosystem is supported by a diverse array of servers that function as command and ...
11 months ago Cyberdefensemagazine.com
Feds Seize 'Sinbad' Crypto Mixer Used by North Korea's Lazarus - In its continued efforts to crack down on North Korea's most formidable state-sponsored threat group, the US government has seized a virtual currency mixer that has been serving as the principal way the group launders money stolen from its ...
1 year ago Darkreading.com
CVE-2009-3486 - Multiple cross-site scripting (XSS) vulnerabilities in the J-Web interface in Juniper JUNOS 8.5R1.14 allow remote authenticated users to inject arbitrary web script or HTML via the host parameter to (1) the pinghost program, reachable through the ...
15 years ago
Dragos Offers Free OT Security Tools to Small Utilities - Cybersecurity vendor Dragos will provide free operational technology security software to small water, electric, and natural gas providers, an offer that comes as critical infrastructure comes under increasing attack. The program initially will be ...
1 year ago Securityboulevard.com
Syrian Threat Group Peddles Destructive SilverRAT - The group behind a sophisticated remote access Trojan, SilverRAT, has links to both Turkey and Syria and plans to release an updated version of the tool to allow control over compromised Windows systems and Android devices. According to a threat ...
11 months ago Darkreading.com
The First 10 Days of a vCISO’S Journey with a New Client - Cyber Defense Magazine - During this period, the vCISO conducts a comprehensive assessment to identify vulnerabilities, engages with key stakeholders to align security efforts with business objectives, and develops a strategic roadmap to prioritize actions and resources. If ...
2 months ago Cyberdefensemagazine.com
Hacking Protected Java-Based Programs - This article provides examples of hacking techniques that can help Java developers avoid vulnerabilities in their programs. It is not intended to train hackers but rather for naive developers who think that standard obfuscators will save them from ...
11 months ago Feeds.dzone.com
capa Explorer Web: A Web-Based Tool for Program Capability Analysis | Google Cloud Blog - For static analysis results, the function capabilities view groups rule matches by function address, allowing reverse engineers to quickly identify functions with key behavior (see Figure 6). The interface offers different views including a table ...
2 months ago Cloud.google.com
Insomniac hack files leak news on Wolverine, Spider-Man 3, and more - Oli Welsh is senior editor, U.K., providing news, analysis, and criticism of film, TV, and games. He has been covering the business & culture of video games for two decades. The ransomware group that hacked Spider-Man 2 developer Insomniac Games on ...
1 year ago Polygon.com
How to Create a Threat Hunting Program for Your Business - A threat hunter's job is to proactively seek out potential problems and stop them before they have a chance to harm a company's network. Here's how businesses can create their own threat hunting programs and why it's important to do so. As well as ...
10 months ago Cyberdefensemagazine.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)