Threat group targets over 1,000 companies with screenshotting and infostealing malware

Tactics and malware suggest financial motivation, but espionage might also be the goal.

Researchers warn that a new threat actor has been targeting over a thousand organizations since October with the goal of deploying credential-stealing malware. The attack chain also involves reconnaissance components including a Trojan that takes screenshots of the desktops of infected computers.

Tracked as TA866 by researchers from security firm Proofpoint, the group's tooling seems to have similarities to other campaigns reported in the past under different names going as far back as 2019. Even though this latest activity appears to be financially motivated, some of the possibly related attacks seen in the past suggest that espionage was also a motivation at the time.

How the Screentime attack campaign works

Proofpoint has dubbed this latest campaign Screentime due to attackers using screenshotting utilities written in different programming languages early in the attack chain for victim profiling.

"Screenshotter has a single purpose of taking a screenshot of the victim's screen and sending it to the command and control (C2) server," the researchers said in a new report. "The threat actor likely manually examines the victim's screenshot image during their normal working hours and places additional payloads for the WasabiSeed loop to download. Screenshotter takes more screenshots if the actor is not satisfied with previous screenshots."

The attacks start with phishing emails that use thread hijacking techniques and have different lures such as "please judge my business presentation." They try to get users to download and open either Publisher (.pub) files with malicious macros or malicious JavaScript files. The emails contain links that direct users to the files after the traffic is filtered through a series of redirects, PDF attachments that include the links or directly .pub attachments.

"Most campaigns during October and November 2022 involved only a limited number of emails and focused on a small number of companies," the researchers said. "Campaigns were observed on average one to two times a week and messages contained attached Publisher files. In November and December 2022, around the time when the threat actor switched to using URLs, the scale of operation grew, and email volumes increased drastically. Typical campaigns consisted of thousands or even tens of thousands of emails and were observed two to four times a week."

If executed, the malicious files deploy a malware program called WasabiSeed that's delivered as an MSI installer and establishes persistence by creating an autorun shortcut in the Windows startup folder. WasabiSeed is a simple script written in VBS whose goal is to download and execute additional payloads.

One of those first payloads is the Screenshotter tool. Since the campaign began attackers have used multiple variants of this tool written in Python; AutoIT, a scripting language for task automation in Windows; and JavaScript with a bundled copy of IrfanView, an image editing tool for Windows. The JavaScript+IrfanView variant is the latest one observed.

On targets deemed interesting WasabiSeed also deploys a post-exploitation dubbed AHK Bot that's written in AutoHotKey, another scripting language used to automate tasks on Windows. AHK Bot is composed of AutoHotKey scripts that enable the attackers to perform different tasks. One is called Domain Profiler and is used to extract the ActiveDirectory domain the machine is connected to and send it to the command-and-control server.

Another script called Stealer Loader downloads a DLL file and loads it into the computer's memory. This DLL file is an information stealing malware known as Rhadamanthys Stealer that started being advertised for sale on cybercrime forums in August 2022. Its features include stealing crypto wallets, steam accounts, passwords from browsers, FTP clients, chat clients (e.g., Telegram, Discord), email clients, VPN configurations, cookies and any other files attackers may want.

Because the payload delivery requires manual intervention from the attackers, the researchers suspect their time zone is UTC+2:00 or +3:00 (Eastern Europe and Russia). Some of the malware also contains comments in Russian. The campaigns have targeted over 1,000 organizations, primarily from the US and Germany.

Screentime attack could be for financial gain or espionage

"Most of the activity recently observed by Proofpoint suggests recent campaigns are financially motivated. However, assessment of historic related activities suggests a possible, additional espionage objective," the researchers warned. "The use of Screenshotter to gather information on a compromised host before deploying additional payloads indicates the threat actor is manually reviewing infections to identify high-value targets. The AD profiling is especially concerning as follow-on activities could lead to compromises on all domain-joined hosts."