A recently discovered cybercriminal group, referred to as TA866, has been targeting companies in the United States and Germany with malicious emails containing attachments or URLs that lead to the deployment of custom malware. This campaign, which Proofpoint has named 'Screentime', began in October 2022 and has continued into January 2023. The emails sent in October and November contained Publisher file attachments with malicious macros, while those sent in November and December contained URLs leading to Publisher files with macros or JavaScript files. In January, the emails used thread hijacking with a 'check my presentation' lure to trick recipients into clicking the malicious URLs. The URLs lead to a 404 TDS which filters the traffic and redirects the victim to a JavaScript file. If the file is run, a MSI package is fetched and executed, which in turn runs an embedded VBS script and achieves persistence. This script is the WasabiSeed malware, which downloads and executes another MSI file representing the Screenshotter malware, which takes screenshots of the victim's screen and sends them to a command-and-control server. The attackers then manually inspect the screenshots and use WasabiSeed to deploy additional payloads if the victim is deemed interesting. The AD profiling could lead to the compromise of other domain-joined hosts. The domains used in the attack were previously registered, expired, and then re-sold to the TDS operator. The researchers believe that TA866 is located in the UTC+2 or UCT+3 time zones, which correspond to Russia, and that the malware has been used in attacks since at least 2019, with some of the activity having an espionage objective. The recent activity appears to be financially motivated, however.
This Cyber News was published on www.securityweek.com. Publication date: Thu, 09 Feb 2023 13:39:02 +0000