It’s different from your usual common-or-garden variety data stealer. Screenshotter malware first spies on you to see if you’re worth robbing before deploying additional malware to exfiltrate your data.
Proofpoint researchers have identified a new custom malware that first triggers surveillance on the infected system. Then, if the target is valuable enough, it deploys additional malware to exfiltrate sensitive data.
They’ve named the group behind this new multi-phase attack TA886. Researchers believe the group is well-organized, well-equipped, and possibly, Russian.
How Screenshotter Malware works
The target receives a phishing email with a poisonous PDF or Microsoft Publisher (.pub) attachment. Triggering the macros leads to a JavaScript file download and an MSI installer. The installer, in turn, unpacks a VBScript called WasabiSeed, which fetches the next-stage payloads, including Screenshotter, from the attacker’s remote server.
Screenshotter in action
Screenshotter starts by periodically taking screenshots of the victim’s desktop and sending the JPGs back to the attackers’ command-and-control (C2) server. It appears that the attackers spy on the victim to ensure the victim is financially a high-value target, but they also investigate the potential value of the company or proprietary data the victim handles.
Researchers have found proof that the attacker manually evaluates the screenshots until they know enough about the victim before proceeding with the second stage of the attack.
When the attacker has sufficient information, he’ll drop additional custom payloads, including Rhadamanthys, to steal the victim’s data. The Rhadamanthys malware family can steal account details and login credentials, cryptocurrency wallets, FTP clients, cookies, and email clients.
TA886 serves the data-stealing malware only to victims who meet specific criteria, including high-value German and US targets who use specific operating systems and browsers.
Clues about the identity of TA886
The attackers lurk until they have enough information before attacking the victim, which implies that they manually review the screenshots and then send new commands to the victim’s device. Analysis of these communications has led Proofpoint researchers to believe that TA886 may be Russian, based on the attacker’s active hours, a few Russian language comments, and Russian variable names in the code.
Phishing emails used for Screenshotter attacks
The attackers have been using phishing emails written in languages familiar to the intended victim. They write professional-looking messages to the targets in either English or German in emails that contain a booby-trapped attachment or URL.
Despite greater public awareness of the dangers of phishing attacks, the success of the Screenshotter malware means that everyone, including highly qualified professionals who work for large companies and high-profile corporations, remains vulnerable to phishing.
It’s those Microsoft Macros, again
Microsoft and email administrators have long been fighting a war to decrease the risks associated with Microsoft Office documents that contain poisoned macros. As a result, system administrators use rules that either prevent their users from opening documents from outside their organizations or warn users about the risks.
Generally, systems administrators regard Microsoft Office and Excel documents with more than casual concern, and Microsoft has even blocked macros by default in Office files downloaded from the internet. However, as the Screenshotter campaigns show, system administrators may soon have to contemplate how to revoke access to Microsoft Publisher and OneNote files that contain external links.
Attackers don’t discriminate between types of clicks
Compromises always start with a user-activated script, so attackers have developed myriad ways to induce people to click before they have time to think about it. Attackers don’t have to rely on distributing booby-trapped documents anymore.
So, there has been a corresponding rise in malware distribution via remote desktop applications, social media, and online meeting platforms. Other increasingly popular ways to get users to click on compromised links include SEO (Search Engine Optimization) poisoning, paid ads that lead to malware-infected or credential-phishing websites on Google’s search results, brand spoofing, and malvertising.
Scan URL links before users click on them
Blocking all macros in all documents is impossible, and internet usage is becoming increasingly dangerous due to the proliferation of legitimate-seeming links that lead to poisoned websites. This problem is becoming more pronounced in the WFH age of remote employees.
Besides improving user awareness about the dangers of casual clicking, providing users with tools to scan URLs and links before they inadvertently click on them is crucial.
URL scanners can block popup advertisements online, and a URL checker can also automatically scan URLs to identify websites that contain drive-by malware or pose other dangers. URL checkers can also scan links sent by a known person that may just have been infected and offers protection against malicious links in hijacked emails between trusted correspondents.
Protect users against themselves
Hackers literally bank on human nature. They know someone will inadvertently click on that poisoned link one day. A virtual private network (VPN) blocks popups and dangerous sites on the internet and protects remote workers’ logins and other confidential information. It has become a crucial tool for remote workers.