Emerging Threats

Hacker group TA866 uses Screenshotter to spy on victims

Nihad Hassan

Jul 17, 20232 min read

Hacker group TA866 is using Screenshotter malware to spy on victims (Header image)

Proofpoint researchers have discovered a new hacking campaign executed by a hacker group named TA866. With known links to Russia, TA866 is an advanced hacking group that has the ability to perform well-organized attacks on a large scale. This stems from their ability to acquire attack tools from different sources and customize them according to each target.

The attack, which began in December 2022, has continued into 2023. It primarily targets victims in the United States and Germany and aims to steal their cryptocurrency wallets, saved account credentials, web browser cookies, and personal information.

Attack methodology

The attack chain begins with an email containing malicious attachments or a URL that points to a malicious website housing WasabiSeed and Screenshotter malware. The following steps are executed in succession.

1. Phishing email

A user receives an email with a URL leading to a Traffic Distribution System (TDS) named 404 TDS, which prompts the user to download a malicious JavaScript file.

2. MSI package installed

If the user runs the dangerous JavaScript file by double-clicking it, it will install an MSI package containing the WasabiSeed installer.

The MSI package will then perform two actions:

  • Cause the infected user device to download and install additional payloads if requested by the attacker
  • Download and run another program known as Screenshotter

Screenshotter, a popular malware program for taking screen captures of infected devices, has many variants written in different programming languages. Screenshotter works by taking screen captures of a victim’s device and sending the files to the attacker’s command and control server (C&C).

3. Additional payloads downloaded

Next, the attackers will check the screen capture manually to determine their next steps. These steps could include:

  • Loading Screenshottter onto the victim’s device again if they are unsatisfied with the received screen captures
  • Infecting the victim’s device with AHK Bot

AHK Bot is another malware program that has the ability to introduce additional payloads into the victim device, such as:

  • Domain profiler: To extract the infected device’s Active Directory (AD) information and send them back to the attacker server
  • Stealer loader: This script will install a stealer malware and load it into the device’s memory (Proofpoint researchers observed Rhadamanthys Stealer malware being used in the most recent campaign)

How to prevent Screenshotter malware from infecting your device

To protect yourself against Screenshotter and similar types of malware, follow these precautions:

  • Do not open email attachments received from unknown email addresses
  • Do not click on links contained in suspicious emails
  • Install a personal firewall on your device to monitor all ongoing and incoming connections
  • Keep your operating system, web browsers, and installed programs up to date
  • Install a reputable antimalware program

Phishing emails are still the primary vehicle used by hackers to infect targets with malware. Fortunately, following the recommendations in this post should be enough to protect your device from such attacks.

Nihad Hassan Nihad Hassan
Nihad is an independent cybersecurity consultant and cyber OSINT expert, online blogger, and book author. He has been researching different areas of information security for more than 15 years.