Proofpoint cybersecurity researchers have discovered a brand new, bespoke solution malware used by threat actors to perform a variety of specially tailored second tier attacks.
These payloads are capable of various things from espionage to data theft, making the attacks even more dangerous due to their unpredictability.
The researchers, who dubbed the campaign Screentime, say it’s being carried out by a new threat actor dubbed TA866. While there’s a chance the group is already known to the broader cybersecurity community, no one has yet been able to link them to existing groups or campaigns.
espionage and theft
Proofpoint describes TA866 as an “organized actor capable of executing well-designed attacks at scale based on its availability of custom tools, ability and connections to purchase tools and services from other vendors, and increasing volume of activity.”
The researchers also suggest that the threat actors could be Russian, since some variable names and comments in parts of their second-tier payloads were written in Russian.
In Screentime, TA866 sent phishing emails and attempted to trick victims into downloading the malicious payload called WasabiSeed. This malware builds persistence on the target end point (opens in new tab)and then delivers different second-tier payloads based on what threat actors deem appropriate at the time.
Sometimes it delivered Screenshotter, malware with a self-explanatory name, while other times it delivered AHK Bot, an infinite loop component that delivered domain profilers, stealer loaders, and the Rhadamanthys stealer.
In general, the group appears to be financially motivated, Proofpoint argues. However, there were instances that led researchers to believe that the group is also sometimes interested in espionage. It was primarily aimed at organizations in the United States and Germany. It’s indiscriminate in terms of industries – the campaigns affect all industries.
The first signs of Screentime campaigns can be seen in October 2022, Proofpoint said, adding that activity will also continue into 2023. In fact, in late January this year, the researchers observed “tens of thousands of email messages” targeting more than a thousand organizations.
