Table of Contents
February 15, 2024
|6m
What is the New ‘Screenshotter’ Malware? Who is Behind It? How to Detect and Mitigate the Presence of Screenshotter Malware?
A new threat actor group has been identified recently, which is using a creative new custom-created malware named screenshotter, which as the name suggests, takes the screenshot of the device once compromised. The presence of this malware was initially observed by Proofpoint in September 2022, and it continued till January 2023.
In this post, we will talk about what is screenshotter malware and how to detect and mitigate screenshotter malware.
Key findings
The attacker group behind this scheme is named TA866, which is a new APT group.
The Threat actor appears to be financially motivated as they evaluate compromised computers to decide if they are worth further attack.
The group targeted mostly Germany and the United States.
TA866 utilizes the custom toolset, including WasabiSeed and Screenshotter, to analyze user activity via screenshots before deploying a bot and stealer.
Technical Analysis
The initial intrusion of the attacker is by sending phishing mail with malicious attachments. This malicious attachment contains Microsoft Publisher (.pub) files with malicious macros URLs to Publisher files with macros or PDFs with links to dangerous JavaScript.
The tools used by the threat actors during the delivery stages are mainly via URLs linking to the above-mentioned malicious file with the help of the 404 Traffic Distribution System (TDS). Some of these activities are observed via google ads as well.
The Campaign Distribution Frequency
As per the research done by Proofpoint, it was reported that in the initial months of October and November, only a few volumes of activity were found; however, by the end of November and December (the threat actor started using URLs), the operation increased and the email volume increased excessively.
Credits: Proofpoint
Attack workflow
Once the user clicks on the link provided in the phishing mail, the attack chain will begin,
The URL directs to a 404 TDS page, which filters incoming traffic before redirecting it to the download page for a JavaScript file.
An MSI package will start running if the user runs the JavaScript (such as by double-clicking)
This MSI package is the WasabiSeed installer which executes an embedded VBS script. An autorun shortcut in the Windows Startup folder will be created to maintain persistence.
The Wasabiseed Installer will again download and install ‘screenshotter’, which is an MSI file.
The screenshotter malware is custom created to take screenshots of the victim and communicate with the command-and-control server.
The attacker, after analyzing the screenshot will decide either to use screenshotter and take more screenshots to decide whether the target is useful or not. If satisfied, an additional payload will be dropped in the victims’ machine called the AHK Bot.
The AHK Bot determines the machine’s active directory and sends it to the attacker.
Another stealer malware dropped by the AHK bot is the Rhadamanthys.
The attack chains (Credits: Proofpoint)
MITRE ATT&CK Enterprise Identifiers
T1566.001 (Spearphishing Attachment)
T1566.002 (Spearphishing Link)
T1059.007 (JavaScript)
T1059.005 (Visual Basic)
T1547.001 (Registry Run Keys / Startup Folder)
T1218 (System Binary Proxy Execution)
T1140 (Deobfuscate/Decode Files or Information)
T1113 (Screen Capture)
Recommendations
From the attack flow, we understand that the attack is only possible only if the user opens and clicks on the link from phishing mail and manually runs the JavaScript file, so,
Have a good email gateway that prevents unauthorized outside emails from entering the network.
Email authentication protocols help a lot in avoiding such scenarios before reaching the user.
Proper cyber security awareness training must be conducted for all users to prevent mishaps.
Suspicious emails observed must be immediately reported to the concerned teams.
All IOCs should be monitored, and necessary action should be taken.
| Indicator | Type | Description |
| southfirstarea[.]com | Domain | 404 TDS domain |
| peak-pjv[.]com | Domain | 404 TDS domain |
| otameyshan[.]com | Domain | 404 TDS domain |
| thebtcrevolution[.]com | Domain | 404 TDS domain |
| annemarieotey[.]com | Domain | 404 TDS domain |
| expresswebstores[.]com | Domain | 404 TDS domain |
| styleselect[.]com | Domain | 404 TDS domain |
| mikefaw[.]com | Domain | 404 TDS domain |
| fgpprlaw[.]com | Domain | 404 TDS domain |
| duncan-technologies[.]net | Domain | 404 TDS domain |
| black-socks[.]org | Domain | 404 TDS domain |
| virtualmediaoffice[.]com | Domain | 404 TDS domain |
| samsontech[.]mobi | Domain | 404 TDS domain |
| footballmeta[.]com | Domain | 404 TDS domain |
| gfcitservice[.]net | Domain | 404 TDS domain |
| listfoo[.]org | Domain | 404 TDS domain |
| duinvest[.]info | Domain | 404 TDS domain |
| shiptrax24[.]com | Domain | 404 TDS domain |
| repossessionheadquarters[.]org | Domain | 404 TDS domain |
| bluecentury[.]org | Domain | 404 TDS domain |
| d934d109f5b446febf6aa6a675e9bcc41fade563e7998788824f56b3cc16d1ed | SHA256 | JavaScript “Document_24_jan-3559116.js” |
| hxxp[:]//79[.]137.198.60/1/ke.msi | URL | JavaScript Downloading MSI 1 (WasabiSeed Installer) |
| 29e447a6121dd2b1d1221821bd6c4b0e20c437c62264844e8bcbb9d4be35f013 | SHA256 | WasabiSeed Installer MSI “ke.msi” |
| 292344211976239c99d62be021af2f44840cd42dd4d70ad5097f4265b9d1ce01 | SHA256 | OCDService.vbs (WasabiSeed) inside ke.msi |
| hxxp[:]//109[.]107.173.72/%serial% | URL | WasabiSeed downloading payloads (Screenshotter, AHK Bot) |
| 02049ab62c530a25f145c0a5c48e3932fa7412a037036a96d7198cc57cef1f40 | SHA256 | Screenshotter Installer MSI |
| d0a4cd67f952498ad99d78bc081c98afbef92e5508daf723007533f000174a98 | SHA256 | Screenshotter component app.js |
| 6e53a93fc2968d90891db6059bac49e975c09546e19a54f1f93fb01a21318fdc | SHA256 | Screenshotter component lumina.exe |
| 322dccd18b5564ea000117e90dafc1b4bc30d256fe93b7cfd0d1bdf9870e0da6 | SHA256 | Screenshotter component index.js |
| hxxp[:]//109[.]107.173.72/screenshot/%serial% | URL | Screenshotter submitting an image to C2 |
| 1f6de5072cc17065c284b21acf4d34b4506f86268395c807b8d4ab3d455b036b | SHA256 | AHK Bot installer MSI |
| 3242e0a736ef8ac90430a9f272ff30a81e2afc146fcb84a25c6e56e8192791e4 | SHA256 | AHK Bot Looper component “au3.exe” |
| 3db3f919cad26ca155adf8c5d9cab3e358d51604b51b31b53d568e7bcf5301e2 | SHA256 | AHK Bot Looper component “au3.ahk” |
| hxxp[:]//89[.]208.105.255/%serial%-du2 | URL | AHK Bot Looper C2 |
| hxxp[:]//89[.]208.105.255/%serial% | URL | AHK Bot Domain Profiler C2 |
| hxxp[:]//89[.]208.105.255/download?path=e | URL | AHK Bot Stealer Loader C2 |
| moosdies[.]top | Domain | Rhadamanthys Stealer C2 |
ET Signatures
2853110 – ETPRO MALWARE 404 TDS Redirect
2043239 – ET MALWARE WasabiSeed Backdoor Payload Request (GET)
2852922 – ETPRO MALWARE Screenshotter Backdoor Sending Screenshot (POST)
2853008 – ETPRO MALWARE AHK Bot Looper – Payload Request
2853009 – ETPRO MALWARE AHK Bot Looper – Payload Request
2853010 – ETPRO MALWARE AHK Bot Looper – Payload Request
2853011 – ETPRO MALWARE AHK Bot Looper – Payload Request
2853015 – ETPRO MALWARE AHK Bot – Logger Sending Data
2853016 – ETPRO MALWARE AHK Bot – Stealer Loader Payload Request
2853017 – ETPRO MALWARE AHK Bot – Logger Sending Data
2043216 – ET MALWARE AHK Bot Domain Profiler CnC Activity
2043202 – ET MALWARE Rhadamanthys Stealer – Payload Download Request
2853001 – ETPRO MALWARE Rhadamanthys Stealer – Payload Response
2853002 – ETPRO MALWARE Rhadamanthys Stealer – Data Exfil
Conclusion
The attackers are high-profile threat actors who have the capability of using custom tools, and they manually analyses the victims through screenshots to identify high-end targets. The potential implications of AD profiling are concerning, as it could potentially result in the compromise of all domain-joined hosts, as per some clues from the analysis of the attack behavior the APT group TA866 is suspected to be a Russian threat actor.
We hope this article helped you to know more about what is screenshotter malware and how to detect and mitigate screenshotter malware.Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive information like this.
Aroma Rose Reji
Aroma is a cybersecurity professional with more than four years of experience in the industry. She has a strong background in detecting and defending cyber-attacks and possesses multiple global certifications like eCTHPv2, CEH, and CTIA. She is a pet lover and, in her free time, enjoys spending time with her cat, cooking, and traveling. You can connect with her on LinkedIn.
- April 18, 2024
Learn Something New with Free Email subscription
Learn Something New with Free Email subscription
Subscribe
Subscribe
Subscribe
Subscribe
- April 18, 2024
