April 1, 2023

Researchers have spotted a threat actor known to be TA886, making use of a new custom-made malware, the Screenshotter, that perform surveillance before stealing data.

The initial campaign was spotted in October 2022, but its activity increased in 2023, targeting users from Germany and USA Screenshotter malware has a capability to evaluate the victims before further intrusion. The threat actor proceeds to data exfiltration only if the attack can bring huge ransom.

Advertisements

The targeted user receives a phishing email with malicious macros. The email may contain a malicious Microsoft Publisher (.pub) attachment, a link to .pub files with macros, or an infected PDF that downloads JavaScript files. Once the victim clicks the email is to download and execute the Screenshotter malware. Then the customized malware takes JPG screenshots from the infected device and sends them to its creator.

Once after the evaluation of the screenshots, the attacker can take two actions, either he can demand more JPGs from the malware, or he can drop additional custom payloads.

TA886 uses Rhadamanthys to steal data. This malware family can also steal cryptocurrency wallets, credentials, and cookies, FTP clients, Steam accounts, Telegram and Discord accounts, VPN configurations, and email clients.

TA886 may be a Russian threat actor, based on the hours when he is active, sending commands to the malware, and the presence of Russian language variable names and comments in code lines.

In conclusion, Active Directory profiling employed by Screenshotter is very concerning. As this can be used by malicious actors to compromise all domain-joined hosts.

Advertisements

Indicators of Compromise

  • southfirstarea[.]com
  • peak-pjv[.]com
  • otameyshan[.]com
  • thebtcrevolution[.]com
  • annemarieotey[.]com
  • expresswebstores[.]com
  • styleselect[.]com
  • mikefaw[.]com
  • fgpprlaw[.]com
  • duncan-technologies[.]net
  • black-socks[.]org
  • virtualmediaoffice[.]com
  • samsontech[.]mobi
  • footballmeta[.]com
  • gfcitservice[.]net
  • listfoo[.]org
  • duinvest[.]info
  • shiptrax24[.]com
  • repossessionheadquarters[.]org
  • bluecentury[.]org
  • d934d109f5b446febf6aa6a675e9bcc41fade563e7998788824f56b3cc16d1ed
  • hxxp[:]//79[.]137.198.60/1/ke.msi
  • 29e447a6121dd2b1d1221821bd6c4b0e20c437c62264844e8bcbb9d4be35f013
  • 292344211976239c99d62be021af2f44840cd42dd4d70ad5097f4265b9d1ce01
  • hxxp[:]//109[.]107.173.72/%serial%
  • 02049ab62c530a25f145c0a5c48e3932fa7412a037036a96d7198cc57cef1f40
  • d0a4cd67f952498ad99d78bc081c98afbef92e5508daf723007533f000174a98
  • 6e53a93fc2968d90891db6059bac49e975c09546e19a54f1f93fb01a21318fdc
  • 322dccd18b5564ea000117e90dafc1b4bc30d256fe93b7cfd0d1bdf9870e0da6
  • hxxp[:]//109[.]107.173.72/screenshot/%serial%
  • 1f6de5072cc17065c284b21acf4d34b4506f86268395c807b8d4ab3d455b036b
  • 3242e0a736ef8ac90430a9f272ff30a81e2afc146fcb84a25c6e56e8192791e4
  • 3db3f919cad26ca155adf8c5d9cab3e358d51604b51b31b53d568e7bcf5301e2
  • hxxp[:]//89[.]208.105.255/%serial%-du2
  • hxxp[:]//89[.]208.105.255/%serial%
  • hxxp[:]//89[.]208.105.255/download?path=e
  • moosdies[.]top
Tags:

Leave a Reply

You may have missed

WordPress Elementor Pro Plugin Vulnerability

WordPress Elementor Pro Plugin Vulnerability

April 1, 2023
QNAP Critical Sudo Vulnerability

QNAP Critical Sudo Vulnerability

March 31, 2023
AlienFox Malware Toolset -SwissArmy Knife

AlienFox Malware Toolset -SwissArmy Knife

March 31, 2023
3CX Application Malvertised

3CX Application Malvertised

March 31, 2023
Microsoft Azure Super FabriXss Bug

Microsoft Azure Super FabriXss Bug

March 31, 2023
Microsoft Patches BingBang Cloud Vulnerability Exposing O365 Data

Microsoft Patches BingBang Cloud Vulnerability Exposing O365 Data

March 30, 2023
%d bloggers like this: