Cybersecurity researchers from Proofpoint have uncovered a brand new, custom-built malware being used by threat actors to deliver a wide variety of specifically tailored stage-two attacks.
These payloads are capable of different things, from espionage to data theft, making the attacks even more dangerous due to their unpredictability.
The researchers, who dubbed the campaign Screentime, say it is being conducted by a new threat actor labeled TA866. While it’s a possibility that the group is already known to the wider cybersecurity community, no one has yet been able to link it to any existing groups or campaigns.
Espionage and theft
Proofpoint describes TA866 as an “organized actor able to perform well-thought-out attacks at scale based on their availability of custom tools, ability and connections to purchase tools and services from other vendors, and increasing activity volumes”.
The researchers also suggest that the threat actors might be Russian, as some variable names and comments in parts of their stage-two payloads were written in the Russian language.
In Screentime, TA866 would send out phishing emails, trying to get victims to download the malicious payload called WasabiSeed. This malware establishes persistence on the target endpoint, and then delivers different stage-two payloads, depending on what the threat actors deem appropriate at the time.
Sometimes, it would deliver Screenshotter, malware with a self-explanatory name, while other times, it would deliver AHK Bot, an infinite loop component delivering Domain profiler, Stealer loader, and the Rhadamanthys stealer.
Generally speaking, the group seems to be financially motivated, Proofpoint argues. However, there were instances that led the researchers to believe that the group is also sometimes interested in espionage. It targeted mostly organizations in the United States, and Germany. It’s indiscriminate in terms of verticals – the campaigns affect all industries.
The earliest signs of Screentime campaigns were seen in October 2022, Proofpoint said, adding that the activity continued into 2023, as well. In fact, in late January this year, the researchers observed “tens of thousands of email messages” targeting more than a thousand organizations.
- These are the best firewalls right now