A novel phishing attack deploys a first-stage malware payload that allows attackers to take screenshots of victims to determine the value and whether to deploy additional malware. Researchers said over 1,000 organizations in the U.S. and Germany have been targeted in the attacks. They add the campaign is unique because of the malware tools used in the attacks.
Proofpoint Threat Research, which released a report on the campaigns Wednesday, attribute the campaigns to the advanced persistent threat group TA866. Researchers said the attacks are financially motivated and dubbed the campaign Screentime because of its use screenshot technology as part of the attack chain.
Proofpoint said it considers the attack chain novel because it uses malware tools previously not observed in the threat landscape and that adversaries are conducting reconnaissance on a host machine via what is called Screenshotter malware before delivering a follow-on payload.
The attackers, researchers said, use both commodity and custom tools to leverage screenshots before installing additional bot and stealer malware. The attack chain starts with an email containing a malicious attachment or URL and gets followed by malware Proofpoint calls WasabiSeed and Screenshotter.
The researchers said they observed post-exploitation activity that involved AHK Bot and Rhadamanthys Stealer. Proofpoint first observed TA866 in October 2022 and the campaign has continued into 2023. On Jan. 23 and 24, Proofpoint observed tens of thousands of email messages targeting more than 1,000 organizations.
The researchers said it’s also unique in that recently observed activity appears to be