Researchers have warned users about a new malicious campaign that scans and profiles potential victims before targeting. Identified as “Screenshotter,” the malware takes screenshots on the victim’s machines to share with the attackers.
Screenshotter Malware Campaign Active In The Wild
According to a recent post from Proofpoint, their research team has observed a malicious campaign in the wild that profiles potential victims.
The campaign, identified as “Screentime,” seems financially motivated and involves multiple malware to perform various activities.
One of these includes the “Screenshotter” that takes and shares screenshots from the victim machines to the attackers. Whereas the other malware is the WasabiSeed installer that executes an embedded VBS script to download Screenshotter and other additional payloads. Moreover, WasabiSeed also helps the threat actors gain persistent access to the victim device.
Briefly, the attack begins with phishing emails sent towards the target organization. To lure the employees, the emails include subject lines and messages imparting a corporate feel, such as asking the recipient to check a presentation.
Like always, the emails include the malicious URL, which triggers the download of the JavaScript file. If the victim clicks and the JavaScript runs, it downloads WasabiSeed, followed by Screenshotter malware.
Upon receiving the victim machine’s screenshots, the threat actors analyze whether to proceed with the attack. If the victim appears lucrative, the attacker installs other payloads to execute the attack, such as the AHK bot, which downloads domain profiler and data stealer.
Moreover, the attack also involves deploying a data stealer from the Rhadamanthys malware family. It can steal sensitive information such as stored credentials, web cookies, crypto wallets, FTP clients, Telegram and Steam accounts, and VPN configurations.
The researchers have shared a detailed technical analysis of the campaign in their post.
Possible Russian Origin
The threat actors behind this campaign, identified as TA886, seemingly have a Russian origin, given the presence of the Russian language in the codes.
Also, the campaigns, which have been ongoing since October 2022, typically aim at organizations within the United States and Germany.
While the campaigns appear financially motivated, the researchers do not rule out the possibility of cyber espionage associated with these attacks.
Let us know your thoughts in the comments.
