This new
>
Cybersecurity researchers at Proofpoint have discovered brand new, custom malware used by threat actors to launch a wide variety of specifically tailored phase two attacks.
These payloads are capable of everything from espionage to data theft, making the attacks even more dangerous due to their unpredictability.
The researchers, who named the campaign Screentime, say it is being carried out by a new threat actor called TA866. While it’s a possibility that the group is already known to the wider cybersecurity community, no one has yet been able to link it to any existing groups or campaigns.
Espionage and theft
Proofpoint describes TA866 as an “organized actor capable of conducting well-crafted attacks at scale based on their availability of custom tools, ability and connections to purchase tools and services from other vendors, and increasing volumes of activity.”
The researchers also suggest that the threat actors may be Russian, as some variable names and comments in parts of their phase-two payloads are written in the Russian language.
In Screentime, TA866 sent phishing emails to trick victims into downloading the malicious payload called WasabiSeed. This malware ensures persistence on the target endpoint (opens in new tab)and then delivers different phase-two payloads, depending on what threat actors see fit at the time.
Sometimes it delivered Screenshotter, malware with a self-explanatory name, while other times it delivered AHK Bot, an infinite loop component that provides Domain Profiler, Stealer loader, and the Rhadamanthys stealer.
Overall, the group appears to be financially motivated, Proofpoint argues. However, there were cases that led the researchers to believe that the group is also sometimes interested in espionage. It was mainly aimed at organizations in the United States and Germany. It’s arbitrary in terms of industries – the campaigns affect all industries.
The first signs of Screentime campaigns were seen in October 2022, Proofpoint said, adding that activity will continue into 2023 as well. At the end of January this year, the researchers even saw “tens of thousands of email messages” aimed at more than a thousand organizations.