Researchers have observed a new cluster of malicious activities by a new threat group dubbed TA866. The campaign, dubbed Screentime, involves attacks on the U.S. and German firms for financial gains. After initial access to the target system, the attacker manually analyzes the victim’s environment before further proceeding with the attack.
What happening?
According to Proofpoint, the campaign has been active since October 2022 and primarily targets organizations in the U.S. However, it recently pivoted to firms in Germany.
- In the beginning, hackers targeted only a small number of companies in the first two months. These emails carried malicious Publisher files.
- In late November and December 2022, the threat actor switched to emails with malicious URLs or PDFs and the volume of emails increased to thousands or ten thousands of emails, sent around four times per week.
- In January 2023, the campaign frequency was reduced yet the volume of emails increased further, targeting thousands of organizations.
- However, on December 8, 2022, and January 24, 2023, malicious emails in German were observed, indicating threat actors’ interest in German organizations.
Attack tactics
TA866 is believed to be working in the time zone UTC+2 or UCT+3, and the use of the Russian language for variable names and comments in malware code hint towards its Russian origin. The threat actor indulges in a multi-step attack chain that involves manual intervention.
- The attack begins with a phishing email sent to the potential victim that likely uses thread hijacking and contains PDF documents laden with malicious URLs, Microsoft Publisher (.pub) attachments with malicious macros, or URLs pointing to malicious .pub files.
- When the URL is clicked or the macro inside the document is executed, the victim system gets compromised and the attack chain gets initiated.
- It downloads custom malware called Screenshotter and WasabiSeed on the victim’s machine.
The malware steals screenshots and Active Directory domain-related information from the victim's machine and sends them to the attacker. After manually scanning these details, the attacker also downloaded AHK Bot and Rhadamanthys Stealer in some cases.
Concluding notes
TA866 is using custom and commodity tools for its attacks, indicating that it is well-resourced and well-versed in technical skills. Moreover, it is manually selecting its targets on the basis of the environment, including its Active Directory, hinting that this group is interested only in high-value targets with specific network capabilities. Organizations are, hence, recommended to implement a proactive approach toward cybersecurity, with multi-layered security architecture and frequent training to its employees to identify and report suspicious emails and other malicious activities.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/74cc_shutterstock_1752948716.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/eba6_shutterstock_1453737242.jpg)
