Proofpoint’s cybersecurity experts have discovered a brand-new piece of custom-built malware that threat actors are using to launch a range of stage-two assaults that are uniquely designed.
Due to the unpredictability of these payloads, which range in capabilities from espionage to data theft, attacks are made even more deadly.
According to the researchers who gave the campaign the name Screentime, it is being carried out by a brand-new threat actor known as TA866. The group may already be well-known to the larger cybersecurity world, but no one has yet been able to connect it to any other organisations or initiatives.
Proofpoint describes TA866 as an “organized actor able to perform well-thought-out attacks at scale based on their availability of custom tools, ability and connections to purchase tools and services from other vendors, and increasing activity volumes”.
The threat actors may be Russian, according to the researchers, who point out that several variable names and remarks in their stage-two payloads were written in that language.
In Screentime, TA866 would send phishing emails to potential victims in an effort to get them to download the malicious WasabiSeed payload. In order to deliver various stage-two payloads, this malware first establishes persistence on the target endpoint (opens in new tab). This depends on what the threat actors judge to be appropriate at the time.
It would occasionally provide Screenshotter, a piece of malware whose name is self-explanatory, and other times it would deliver AHK Bot, an infinite loop component that would distribute the Rhadamanthys stealer, the Stealer loader, and the Domain profiler.
In general, the group appears to be driven by financial interests, claims Proofpoint. However, there were several occasions that made the researchers think that the organisation occasionally has espionage on its mind. It primarily targeted German and American organisations. The campaigns have little regard for industry verticals; they have an impact across the board.
According to Proofpoint, the first indications of Screentime campaigns appeared in October 2022 and persisted until 2023. In fact, the researchers discovered “tens of thousands of email communications” aimed at more than a thousand organisations in late January of this year.
