A new threat actor group has been identified recently, which is using a creative new custom-created malware named screenshotter, which as the name suggests, takes the screenshot of the device once compromised. The presence of this malware was initially observed by Proofpoint in September 2022, and it continued till January 2023.
In this post, we will talk about what is screenshotter malware and how to detect and mitigate screenshotter malware.
Key findings
- The attacker group behind this scheme is named TA866, which is a new APT group.
- The Threat actor appears to be financially motivated as they evaluate compromised computers to decide if they are worth further attack.
- The group targeted mostly Germany and the United States.
- TA866 utilizes the custom toolset, including WasabiSeed and Screenshotter, to analyze user activity via screenshots before deploying a bot and stealer.
Technical Analysis
The initial intrusion of the attacker is by sending phishing mail with malicious attachments. This malicious attachment contains Microsoft Publisher (.pub) files with malicious macros URLs to Publisher files with macros or PDFs with links to dangerous JavaScript.
The tools used by the threat actors during the delivery stages are mainly via URLs linking to the above-mentioned malicious file with the help of the 404 Traffic Distribution System (TDS). Some of these activities are observed via google ads as well.
The Campaign Distribution Frequency
As per the research done by Proofpoint, it was reported that in the initial months of October and November, only a few volumes of activity were found; however, by the end of November and December (the threat actor started using URLs), the operation increased and the email volume increased excessively.
Attack workflow
Once the user clicks on the link provided in the phishing mail, the attack chain will begin,
- The URL directs to a 404 TDS page, which filters incoming traffic before redirecting it to the download page for a JavaScript file.
- An MSI package will start running if the user runs the JavaScript (such as by double-clicking)
- This MSI package is the WasabiSeed installer which executes an embedded VBS script. An autorun shortcut in the Windows Startup folder will be created to maintain persistence.
- The Wasabiseed Installer will again download and install ‘screenshotter’, which is an MSI file.
- The screenshotter malware is custom created to take screenshots of the victim and communicate with the command-and-control server.
- The attacker, after analyzing the screenshot will decide either to use screenshotter and take more screenshots to decide whether the target is useful or not. If satisfied, an additional payload will be dropped in the victims’ machine called the AHK Bot.
- The AHK Bot determines the machine’s active directory and sends it to the attacker.
- Another stealer malware dropped by the AHK bot is the Rhadamanthys.
MITRE ATT&CK Enterprise Identifiers
- T1566.001 (Spearphishing Attachment)
- T1566.002 (Spearphishing Link)
- T1059.007 (JavaScript)
- T1059.005 (Visual Basic)
- T1547.001 (Registry Run Keys / Startup Folder)
- T1218 (System Binary Proxy Execution)
- T1140 (Deobfuscate/Decode Files or Information)
- T1113 (Screen Capture)
Recommendations
From the attack flow, we understand that the attack is only possible only if the user opens and clicks on the link from phishing mail and manually runs the JavaScript file, so,
- Have a good email gateway that prevents unauthorized outside emails from entering the network.
- Email authentication protocols help a lot in avoiding such scenarios before reaching the user.
- Proper cyber security awareness training must be conducted for all users to prevent mishaps.
- Suspicious emails observed must be immediately reported to the concerned teams.
- All IOCs should be monitored, and necessary action should be taken.
| Indicator | Type | Description |
| southfirstarea[.]com | Domain | 404 TDS domain |
| peak-pjv[.]com | Domain | 404 TDS domain |
| otameyshan[.]com | Domain | 404 TDS domain |
| thebtcrevolution[.]com | Domain | 404 TDS domain |
| annemarieotey[.]com | Domain | 404 TDS domain |
| expresswebstores[.]com | Domain | 404 TDS domain |
| styleselect[.]com | Domain | 404 TDS domain |
| mikefaw[.]com | Domain | 404 TDS domain |
| fgpprlaw[.]com | Domain | 404 TDS domain |
| duncan-technologies[.]net | Domain | 404 TDS domain |
| black-socks[.]org | Domain | 404 TDS domain |
| virtualmediaoffice[.]com | Domain | 404 TDS domain |
| samsontech[.]mobi | Domain | 404 TDS domain |
| footballmeta[.]com | Domain | 404 TDS domain |
| gfcitservice[.]net | Domain | 404 TDS domain |
| listfoo[.]org | Domain | 404 TDS domain |
| duinvest[.]info | Domain | 404 TDS domain |
| shiptrax24[.]com | Domain | 404 TDS domain |
| repossessionheadquarters[.]org | Domain | 404 TDS domain |
| bluecentury[.]org | Domain | 404 TDS domain |
| d934d109f5b446febf6aa6a675e9bcc41fade563e7998788824f56b3cc16d1ed | SHA256 | JavaScript “Document_24_jan-3559116.js” |
| hxxp[:]//79[.]137.198.60/1/ke.msi | URL | JavaScript Downloading MSI 1 (WasabiSeed Installer) |
| 29e447a6121dd2b1d1221821bd6c4b0e20c437c62264844e8bcbb9d4be35f013 | SHA256 | WasabiSeed Installer MSI “ke.msi” |
| 292344211976239c99d62be021af2f44840cd42dd4d70ad5097f4265b9d1ce01 | SHA256 | OCDService.vbs (WasabiSeed) inside ke.msi |
| hxxp[:]//109[.]107.173.72/%serial% | URL | WasabiSeed downloading payloads (Screenshotter, AHK Bot) |
| 02049ab62c530a25f145c0a5c48e3932fa7412a037036a96d7198cc57cef1f40 | SHA256 | Screenshotter Installer MSI |
| d0a4cd67f952498ad99d78bc081c98afbef92e5508daf723007533f000174a98 | SHA256 | Screenshotter component app.js |
| 6e53a93fc2968d90891db6059bac49e975c09546e19a54f1f93fb01a21318fdc | SHA256 | Screenshotter component lumina.exe |
| 322dccd18b5564ea000117e90dafc1b4bc30d256fe93b7cfd0d1bdf9870e0da6 | SHA256 | Screenshotter component index.js |
| hxxp[:]//109[.]107.173.72/screenshot/%serial% | URL | Screenshotter submitting an image to C2 |
| 1f6de5072cc17065c284b21acf4d34b4506f86268395c807b8d4ab3d455b036b | SHA256 | AHK Bot installer MSI |
| 3242e0a736ef8ac90430a9f272ff30a81e2afc146fcb84a25c6e56e8192791e4 | SHA256 | AHK Bot Looper component “au3.exe” |
| 3db3f919cad26ca155adf8c5d9cab3e358d51604b51b31b53d568e7bcf5301e2 | SHA256 | AHK Bot Looper component “au3.ahk” |
| hxxp[:]//89[.]208.105.255/%serial%-du2 | URL | AHK Bot Looper C2 |
| hxxp[:]//89[.]208.105.255/%serial% | URL | AHK Bot Domain Profiler C2 |
| hxxp[:]//89[.]208.105.255/download?path=e | URL | AHK Bot Stealer Loader C2 |
| moosdies[.]top | Domain | Rhadamanthys Stealer C2 |
ET Signatures
- 2853110 – ETPRO MALWARE 404 TDS Redirect
- 2043239 – ET MALWARE WasabiSeed Backdoor Payload Request (GET)
- 2852922 – ETPRO MALWARE Screenshotter Backdoor Sending Screenshot (POST)
- 2853008 – ETPRO MALWARE AHK Bot Looper – Payload Request
- 2853009 – ETPRO MALWARE AHK Bot Looper – Payload Request
- 2853010 – ETPRO MALWARE AHK Bot Looper – Payload Request
- 2853011 – ETPRO MALWARE AHK Bot Looper – Payload Request
- 2853015 – ETPRO MALWARE AHK Bot – Logger Sending Data
- 2853016 – ETPRO MALWARE AHK Bot – Stealer Loader Payload Request
- 2853017 – ETPRO MALWARE AHK Bot – Logger Sending Data
- 2043216 – ET MALWARE AHK Bot Domain Profiler CnC Activity
- 2043202 – ET MALWARE Rhadamanthys Stealer – Payload Download Request
- 2853001 – ETPRO MALWARE Rhadamanthys Stealer – Payload Response
- 2853002 – ETPRO MALWARE Rhadamanthys Stealer – Data Exfil
Conclusion
The attackers are high-profile threat actors who have the capability of using custom tools, and they manually analyses the victims through screenshots to identify high-end targets. The potential implications of AD profiling are concerning, as it could potentially result in the compromise of all domain-joined hosts, as per some clues from the analysis of the attack behavior the APT group TA866 is suspected to be a Russian threat actor.