Security firm Proofpoint warns that a new cyber crime group, dubbed TA866, has been attacking over a thousand organizations since October with the goal of deploying credential-stealing malware. This group uses a multi-stage attack chain that includes reconnaissance tools like a Trojan that takes screenshots of infected devices’ desktops.
Proofpoint has named this latest attack campaign “Screentime” as the attackers use screenshotting utilities to profile victims early in the attack chain. The malware program called WasabiSeed is delivered through phishing emails, either as malicious Publisher files or JavaScript files, which trick the targets into downloading and executing them. If successful, WasabiSeed establishes persistence on the victim’s device and downloads the Screenshotter tool to take screenshots of the victim’s screen and send them to the command and control server. The attackers then manually examine the screenshot and place additional payloads for WasabiSeed to download.
The group’s activities have increased in scale and frequency over time, with typical campaigns now consisting of thousands or even tens of thousands of emails sent two to four times a week. WasabiSeed also deploys additional payloads on targets deemed interesting, further compromising the device. Although the group’s current activities seem financially motivated, some of their past attacks have also indicated a motivation for espionage.
Go to Source
Author: