What is the New ‘Screenshotter’ Malware? Who is Behind It? How to Detect and Mitigate the Presence of Screenshotter Malware?


A new threat actor group has been identified recently, which is using a creative new custom-created malware named screenshotter, which as the name suggests, takes the screenshot of the device once compromised. The presence of this malware was initially observed by Proofpoint in September 2022, and it continued till January 2023.

 

 

In this post, we will talk about what is screenshotter malware and how to detect and mitigate screenshotter malware.

Key findings

  • The attacker group behind this scheme is named TA866, which is a new APT group.
  • The Threat actor appears to be financially motivated as they evaluate compromised computers to decide if they are worth further attack.
  • The group targeted mostly Germany and the United States.
  • TA866 utilizes the custom toolset, including WasabiSeed and Screenshotter, to analyze user activity via screenshots before deploying a bot and stealer.

Technical Analysis

The initial intrusion of the attacker is by sending phishing mail with malicious attachments. This malicious attachment contains Microsoft Publisher (.pub) files with malicious macros URLs to Publisher files with macros or PDFs with links to dangerous JavaScript.

The tools used by the threat actors during the delivery stages are mainly via URLs linking to the above-mentioned malicious file with the help of the 404 Traffic Distribution System (TDS). Some of these activities are observed via google ads as well.

The Campaign Distribution Frequency

As per the research done by Proofpoint, it was reported that in the initial months of October and November, only a few volumes of activity were found; however, by the end of November and December (the threat actor started using URLs), the operation increased and the email volume increased excessively.

Credits: Proofpoint

Attack workflow

Once the user clicks on the link provided in the phishing mail, the attack chain will begin,

  1. The URL directs to a 404 TDS page, which filters incoming traffic before redirecting it to the download page for a JavaScript file.
  2. An MSI package will start running if the user runs the JavaScript (such as by double-clicking)
  3. This MSI package is the WasabiSeed installer which executes an embedded VBS script. An autorun shortcut in the Windows Startup folder will be created to maintain persistence.
  4. The Wasabiseed Installer will again download and install ‘screenshotter’, which is an MSI file.
  5. The screenshotter malware is custom created to take screenshots of the victim and communicate with the command-and-control server.
  6. The attacker, after analyzing the screenshot will decide either to use screenshotter and take more screenshots to decide whether the target is useful or not. If satisfied, an additional payload will be dropped in the victims’ machine called the AHK Bot. 
  7. The AHK Bot determines the machine’s active directory and sends it to the attacker.
  8. Another stealer malware dropped by the AHK bot is the Rhadamanthys.
The attack chains (Credits: Proofpoint)

MITRE ATT&CK Enterprise Identifiers

  • T1566.001 (Spearphishing Attachment)
  • T1566.002 (Spearphishing Link)
  • T1059.007 (JavaScript)
  • T1059.005 (Visual Basic)
  • T1547.001 (Registry Run Keys / Startup Folder)
  • T1218 (System Binary Proxy Execution)
  • T1140 (Deobfuscate/Decode Files or Information)
  • T1113 (Screen Capture)

Recommendations 

From the attack flow, we understand that the attack is only possible only if the user opens and clicks on the link from phishing mail and manually runs the JavaScript file, so,

  • Have a good email gateway that prevents unauthorized outside emails from entering the network.
  • Email authentication protocols help a lot in avoiding such scenarios before reaching the user.
  • Proper cyber security awareness training must be conducted for all users to prevent mishaps.
  • Suspicious emails observed must be immediately reported to the concerned teams.
  • All IOCs should be monitored, and necessary action should be taken.

 

IOC

Indicator Type Description
southfirstarea[.]com Domain 404 TDS domain
peak-pjv[.]com Domain 404 TDS domain
otameyshan[.]com Domain 404 TDS domain
thebtcrevolution[.]com Domain 404   TDS domain
annemarieotey[.]com Domain 404   TDS domain
expresswebstores[.]com Domain 404   TDS domain
styleselect[.]com Domain 404   TDS domain
mikefaw[.]com Domain 404   TDS domain
fgpprlaw[.]com Domain 404   TDS domain
duncan-technologies[.]net Domain 404   TDS domain
black-socks[.]org Domain 404   TDS domain
virtualmediaoffice[.]com Domain 404   TDS domain
samsontech[.]mobi Domain 404   TDS domain
footballmeta[.]com Domain 404   TDS domain
gfcitservice[.]net Domain 404   TDS domain
listfoo[.]org Domain 404   TDS domain
duinvest[.]info Domain 404   TDS domain
shiptrax24[.]com Domain 404   TDS domain
repossessionheadquarters[.]org Domain 404   TDS domain
bluecentury[.]org Domain 404   TDS domain
d934d109f5b446febf6aa6a675e9bcc41fade563e7998788824f56b3cc16d1ed SHA256 JavaScript “Document_24_jan-3559116.js”
hxxp[:]//79[.]137.198.60/1/ke.msi URL JavaScript Downloading MSI 1 (WasabiSeed Installer)
29e447a6121dd2b1d1221821bd6c4b0e20c437c62264844e8bcbb9d4be35f013 SHA256 WasabiSeed Installer MSI “ke.msi”
292344211976239c99d62be021af2f44840cd42dd4d70ad5097f4265b9d1ce01 SHA256 OCDService.vbs (WasabiSeed) inside ke.msi
hxxp[:]//109[.]107.173.72/%serial% URL WasabiSeed downloading payloads (Screenshotter, AHK Bot)
02049ab62c530a25f145c0a5c48e3932fa7412a037036a96d7198cc57cef1f40 SHA256 Screenshotter Installer MSI
d0a4cd67f952498ad99d78bc081c98afbef92e5508daf723007533f000174a98 SHA256 Screenshotter   component app.js
6e53a93fc2968d90891db6059bac49e975c09546e19a54f1f93fb01a21318fdc SHA256 Screenshotter component lumina.exe
322dccd18b5564ea000117e90dafc1b4bc30d256fe93b7cfd0d1bdf9870e0da6 SHA256 Screenshotter component index.js
hxxp[:]//109[.]107.173.72/screenshot/%serial% URL Screenshotter submitting an image to C2
1f6de5072cc17065c284b21acf4d34b4506f86268395c807b8d4ab3d455b036b SHA256 AHK Bot installer MSI
3242e0a736ef8ac90430a9f272ff30a81e2afc146fcb84a25c6e56e8192791e4 SHA256 AHK Bot Looper component “au3.exe”
3db3f919cad26ca155adf8c5d9cab3e358d51604b51b31b53d568e7bcf5301e2 SHA256 AHK   Bot Looper component “au3.ahk”
hxxp[:]//89[.]208.105.255/%serial%-du2 URL AHK   Bot Looper C2
hxxp[:]//89[.]208.105.255/%serial% URL AHK   Bot Domain Profiler C2
hxxp[:]//89[.]208.105.255/download?path=e URL AHK   Bot Stealer Loader C2
moosdies[.]top Domain Rhadamanthys   Stealer C2

ET Signatures 

  • 2853110 – ETPRO MALWARE 404 TDS Redirect 
  • 2043239 – ET MALWARE WasabiSeed Backdoor Payload Request (GET)
  • 2852922 – ETPRO MALWARE Screenshotter Backdoor Sending Screenshot (POST) 
  • 2853008 – ETPRO MALWARE AHK Bot Looper – Payload Request 
  • 2853009 – ETPRO MALWARE AHK Bot Looper – Payload Request 
  • 2853010 – ETPRO MALWARE AHK Bot Looper – Payload Request 
  • 2853011 – ETPRO MALWARE AHK Bot Looper – Payload Request 
  • 2853015 – ETPRO MALWARE AHK Bot – Logger Sending Data 
  • 2853016 – ETPRO MALWARE AHK Bot – Stealer Loader Payload Request 
  • 2853017 – ETPRO MALWARE AHK Bot – Logger Sending Data 
  • 2043216 – ET MALWARE AHK Bot Domain Profiler CnC Activity 
  • 2043202 – ET MALWARE Rhadamanthys Stealer – Payload Download Request 
  • 2853001 – ETPRO MALWARE Rhadamanthys Stealer – Payload Response 
  • 2853002 – ETPRO MALWARE Rhadamanthys Stealer – Data Exfil 

Conclusion

The attackers are high-profile threat actors who have the capability of using custom tools, and they manually analyses the victims through screenshots to identify high-end targets. The potential implications of AD profiling are concerning, as it could potentially result in the compromise of all domain-joined hosts, as per some clues from the analysis of the attack behavior the APT group TA866 is suspected to be a Russian threat actor. 

Leave a Reply

Your email address will not be published. Required fields are marked *