Cybersecurity researchers at Proofpoint have uncovered brand new custom-made malware used by cybercriminals to launch a wide range of tailor-made second-stage attacks.
These payloads are capable of a variety of things, from espionage to data theft, which makes attacks even more dangerous due to their unpredictability.
The researchers who dubbed the campaign Screentime claim that it is run by a new cyber criminal named TA866. While it’s possible the group is already known to the wider cybersecurity community, no one has yet been able to link it to existing groups or campaigns.
Espionage and theft
Proofpoint describes TA866 as “an organized actor capable of well-thought-out large-scale attacks based on their availability of custom tools, capabilities and connections to purchase tools and services from third-party vendors, and a growing number of activities.”
Researchers also suggest that the cybercriminals may be Russian, as some of the variable names and comments in parts of the second-stage payloads were written in Russian.
At Screentime, TA866 sent phishing emails in an attempt to trick victims into downloading a malicious payload called WasabiSeed. This malware establishes persistence on the targeted endpoint (opens in a new tab)and then delivers various second-stage payloads, depending on what the cybercriminals see fit at the time.
Sometimes it delivered Screenshotter, malware with an obvious name, and other times it delivered AHK Bot, an infinite-loop component that delivers Domain Profiler, Stealer Loader, and Rhadamanthys Theft Tool.
Overall, the group appears to be financially motivated, argues Proofpoint. However, there have been cases that have led researchers to believe that the group is sometimes interested in espionage. Its targets were mainly organizations in the United States and Germany. It is uncritical in terms of industry – campaigns affect all industries.
The earliest signs of the Screentime campaign came in October 2022, Proofpoint said, adding that the activity also continued into 2023. In fact, in late January this year, researchers observed “tens of thousands of emails” addressed to more than a thousand organizations.