Security researchers have discovered a new financially motivated threat group using custom tools to identify and pursue high-value targets for information theft.
Named TA866 by Proofpoint, the group may have been active since 2019, although most recent activity started in around October 2022.
It claimed the group appears to be financially motivated, although there could be some overlap with nation state activity.
“Assessment of historic related activities suggests a possible, additional espionage objective,” the report noted.
Proofpoint dubbed the new campaign, which was ongoing as of January 2023, as “Screentime” due to the tactics used by the group to whittle down a large pool of potential victims to the most lucrative targets.
In November 2022, TA866 massively scaled up its operation to send out thousands or tens of thousands of phishing emails two to four times per week. In just two days in January over 1000 American and German organizations were targeted, Proofpoint said.
“The emails appeared to use thread hijacking, a ‘check my presentation’ lure, and contained malicious URLs that initiated a multi-step attack chain,” it explained.
If victims take the bait, a custom installer known as WasabiSeed will be downloaded and installs a second bespoke piece of malware named Screenshotter.
“This is a utility with a single function of taking a JPG screenshot of the user’s desktop and submitting it to a remote C2 via a POST to a hardcoded IP address,” Proofpoint explained. “This is helpful to the threat actor during the reconnaissance and victim profiling stage.”
If the actor is satisfied that the victim represents a money-making opportunity, they will download further post-exploitation tools, including AHK Bot components which perform reconnaissance on the target’s Active Directory domain.
“The AD profiling is especially concerning as follow-on activities could lead to compromises on all domain-joined hosts,” said Proofpoint.
The attacker then loads the Rhadamanthys Stealer – an off-the-shelf malware designed to steal crypto wallets, steam accounts, passwords from browsers, FTP clients, chat clients, email clients, VPN configurations, cookies and files.
The working hours of the group are said to align with a Russian threat actor.