TA886 makes use of Screenshotter Malware

Researchers have spotted a threat actor known to be TA886, making use of a new custom-made malware, the Screenshotter, that perform surveillance before stealing data.

The initial campaign was spotted in October 2022, but its activity increased in 2023, targeting users from Germany and USA Screenshotter malware has a capability to evaluate the victims before further intrusion. The threat actor proceeds to data exfiltration only if the attack can bring huge ransom.

The targeted user receives a phishing email with malicious macros. The email may contain a malicious Microsoft Publisher (.pub) attachment, a link to .pub files with macros, or an infected PDF that downloads JavaScript files. Once the victim clicks the email is to download and execute the Screenshotter malware. Then the customized malware takes JPG screenshots from the infected device and sends them to its creator.

Once after the evaluation of the screenshots, the attacker can take two actions, either he can demand more JPGs from the malware, or he can drop additional custom payloads.

TA886 uses Rhadamanthys to steal data. This malware family can also steal cryptocurrency wallets, credentials, and cookies, FTP clients, Steam accounts, Telegram and Discord accounts, VPN configurations, and email clients.

TA886 may be a Russian threat actor, based on the hours when he is active, sending commands to the malware, and the presence of Russian language variable names and comments in code lines.

In conclusion, Active Directory profiling employed by Screenshotter is very concerning. As this can be used by malicious actors to compromise all domain-joined hosts.

Indicators of Compromise

• southfirstarea[.]com
• peak-pjv[.]com
• otameyshan[.]com
• thebtcrevolution[.]com
• annemarieotey[.]com
• expresswebstores[.]com
• styleselect[.]com
• mikefaw[.]com
• fgpprlaw[.]com
• duncan-technologies[.]net
• black-socks[.]org
• virtualmediaoffice[.]com
• samsontech[.]mobi
• footballmeta[.]com
• gfcitservice[.]net
• listfoo[.]org
• duinvest[.]info
• shiptrax24[.]com
• repossessionheadquarters[.]org
• bluecentury[.]org
• d934d109f5b446febf6aa6a675e9bcc41fade563e7998788824f56b3cc16d1ed
• hxxp[:]//79[.]137.198.60/1/ke.msi
• 29e447a6121dd2b1d1221821bd6c4b0e20c437c62264844e8bcbb9d4be35f013
• 292344211976239c99d62be021af2f44840cd42dd4d70ad5097f4265b9d1ce01
• hxxp[:]//109[.]107.173.72/%serial%
• 02049ab62c530a25f145c0a5c48e3932fa7412a037036a96d7198cc57cef1f40
• d0a4cd67f952498ad99d78bc081c98afbef92e5508daf723007533f000174a98
• 6e53a93fc2968d90891db6059bac49e975c09546e19a54f1f93fb01a21318fdc
• 322dccd18b5564ea000117e90dafc1b4bc30d256fe93b7cfd0d1bdf9870e0da6
• hxxp[:]//109[.]107.173.72/screenshot/%serial%
• 1f6de5072cc17065c284b21acf4d34b4506f86268395c807b8d4ab3d455b036b
• 3242e0a736ef8ac90430a9f272ff30a81e2afc146fcb84a25c6e56e8192791e4
• 3db3f919cad26ca155adf8c5d9cab3e358d51604b51b31b53d568e7bcf5301e2
• hxxp[:]//89[.]208.105.255/%serial%-du2
• hxxp[:]//89[.]208.105.255/%serial%
• hxxp[:]//89[.]208.105.255/download?path=e
• moosdies[.]top