Security researchers have discovered a new financially motivated threat group that uses custom tools to identify and track high-value targets for information theft.
The group, dubbed TA866 by Proofpoint, may have been active since 2019, but its most recent activity began around October 2022.
The group claims they appear to have financial motives, although they may overlap with state activities.
“An assessment of historically related activity suggests the possibility of additional espionage purposes,” the report notes.
Proofpoint called this new campaign, which was ongoing as of January 2023, “Screen Time.” This is due to the tactics the group used to narrow down a large pool of potential victims to the most lucrative targets.
In November 2022, TA866 significantly expanded its operations, sending thousands or tens of thousands of phishing emails two to four times a week. According to Proofpoint, over 1,000 US and German organizations were targeted in just two days in January.
“The email appeared to use a ‘check my presentation’ lure, thread hijacking, and contained a malicious URL that started a multi-stage attack chain,” it said. increase.
If the victim falls for a decoy, it downloads a custom installer known as WasabiSeed and installs another piece of malware named Screenshotter.
“This is a utility with a single function: taking a JPG screenshot of the user’s desktop and sending it via POST to a hardcoded IP address to a remote C2,” Proofpoint explains. “This is useful for attackers during the reconnaissance and victim profiling stages.”
If the attacker believes the victim represents a money-making opportunity, they download additional post-exploitation tools, including an AHK bot component that performs reconnaissance on the target Active Directory domain.
“AD profiling is of particular concern as subsequent activity could lead to the compromise of all hosts participating in the domain,” Proofpoint said.
The attacker then loads the Rhadamanthys Stealer. This is commercial malware designed to steal crypto wallets, Steam accounts, passwords from browsers, FTP clients, chat clients, email clients, VPN configurations, cookies and files.
The working hours of this group are said to be consistent with Russian threat actors.
