Researchers have warned that a malicious actor has been targeting over a thousand organizations since October with the goal of deploying credential-stealing malware. This attack chain includes a Trojan that takes screenshots of the desktops of infected computers, which has been tracked as TA866 by security firm Proofpoint. The group's tooling appears to be similar to other campaigns reported in the past, going back to 2019. Although the latest activity appears to be financially motivated, some of the related attacks suggest that espionage may have been a motivation as well. Proofpoint has named this campaign 'Screentime' due to the attackers using screenshotting utilities written in different programming languages early in the attack chain for victim profiling. The attack begins with phishing emails that use thread hijacking techniques and have different lures. These emails contain links that direct users to malicious files, such as Publisher files with malicious macros or malicious JavaScript files. The malicious files deploy a malware program called WasabiSeed, which establishes persistence by creating an autorun shortcut in the Windows startup folder. WasabiSeed then downloads additional payloads, including the Screenshotter tool. If the threat actor is not satisfied with the screenshots, Screenshotter takes more. The campaigns have targeted over 1,000 organizations, primarily from the US and Germany. The Screentime attack could be for financial gain or espionage. Most of the activity recently observed by Proofpoint suggests that the campaigns are financially motivated, but the assessment of historic related activities suggests a possible espionage objective as well. The use of Screenshotter to gather information on a compromised host before deploying additional payloads indicates that the threat actor is manually reviewing infections to identify high-value targets.
This Cyber News was published on www.csoonline.com. Publication date: Wed, 08 Feb 2023 19:22:03 +0000