Custom malware ( Screentime ) hits your device with specially designed attacks

vtqhtr413

vtqhtr413

Level 26
Thread author
Verified
Top Poster
Well-known
Aug 17, 2017
1,498
Content source
https://www.techradar.com/news/this-new-custom-malware-hits-your-device-with-specially-designed-attacks
Cybersecurity researchers from Proofpoint have uncovered a brand new, custom-built malware being used by threat actors to deliver a wide variety of specifically tailored stage-two attacks. The researchers, who dubbed the campaign Screentime, say it is being conducted by a new threat actor labeled TA866. While it’s a possibility that the group is already known to the wider cybersecurity community, no one has yet been able to link it to any existing groups or campaigns. The earliest signs of Screentime campaigns were seen in October 2022, Proofpoint said, adding that the activity continued into 2023, as well. In fact, in late January this year, the researchers observed “tens of thousands of email messages” targeting more than a thousand organizations.
Click to expand...
www.techradar.com

This new "custom" malware hits your device with specially-designed attacks

Sometimes it takes screenshots, and sometimes it steals data
www.techradar.com www.techradar.com
www.proofpoint.com

Screentime: Sometimes It Feels Like Somebody's Watching Me | Proofpoint US

Key Findings Proofpoint began tracking a new threat actor, TA866. Proofpoint researchers first observed campaigns in October 2022 and activity has continued into 2023. The activity appears to be financially motivated, largely targeting organizations in the United States and Germany. With its...
www.proofpoint.com www.proofpoint.com
 
Last edited:
  • Like
  • +Reputation
Reactions: Dave Russo, Andy Ful, Gandalf_The_Grey and 3 others
Kuttz

Kuttz

Level 13
Verified
Top Poster
Well-known
May 9, 2015
625
A novel phishing attack deploys a first-stage malware payload that allows attackers to take screenshots of victims to determine the value and whether to deploy additional malware. Researchers said over 1,000 organizations in the U.S. and Germany have been targeted in the attacks. They add the campaign is unique because of the malware tools used in the attacks.Researchers said the attacks are financially motivated and dubbed the campaign Screentime because of its use screenshot technology as part of the attack chain.
Click to expand...
Proofpoint said it considers the attack chain novel because it uses malware tools previously not observed in the threat landscape and that adversaries are conducting reconnaissance on a host machine via what is called Screenshotter malware before delivering a follow-on payload.
Click to expand...
The attackers, researchers said, use both commodity and custom tools to leverage screenshots before installing additional bot and stealer malware. The attack chain starts with an email containing a malicious attachment or URL and gets followed by malware Proofpoint calls WasabiSeed and Screenshotter.
Click to expand...
Fishing for a juicy target

“Clearly, there’s some level of value a user must meet before being deemed worthy of another payload. And while recent activity appears financially motivated, some historic activity overlaps with what we call TA866 suggests an espionage focus, too,“ Proofpoint said.

In terms of the threat actors origins, the researchers told SC Media that there are artifacts observed in the attack chain, including Russian language in the code and work hours analysis that align with a typical 9-to-5 workday in time zones that include Russia, as well as other countries. However, Proofpoint said these factors alone are not enough to associate with high confidence to a state sponsor or geography.

John Bambenek, principal threat hunter at Netenrich, added that at its core, a phishing email that ultimately delivers malware isn’t a new technique, but in recent years, even cybercriminals are investing in the level of research that previously was only done by APTs. Bambenek said attackers know the more precise their techniques and tools are, the more likely they are to achieve significant financial results.

“Certainly email protection is important, especially to vendors that follow a chain of events after an email,” Bambenek said. “Attackers just aren’t emailing .exe’s so getting malware on a victim is a multi-step process and each step represents its own opportunity for protection.”

Proofpoint added that for a compromise to succeed, a user has to click on a malicious link and, if successfully filtered, interact with a JavaScript file to download and run additional payloads. “Organizations should educate end users about this technique and encourage users to report suspicious emails and other activities,” said the researchers.
Click to expand...

Novel phishing campaign takes screenshots ahead of payload delivery
 
Last edited:
  • Like
Reactions: vtqhtr413
You must log in or register to reply here.

Similar threads

silversurfer
    • Like
    • +Reputation
    • Thanks
Watch Out: Attackers Are Hiding Malware in 'Browser Updates'
Replies
4
Views
1,394
News Archive
Ink
Ink
silversurfer
    • Like
    • +Reputation
New ZenRAT Malware Targeting Windows Users via Fake Password Manager Software
Replies
0
Views
1,157
News Archive
silversurfer
silversurfer
silversurfer
    • Like
    • +Reputation
Cybercriminals Renting WikiLoader to Target Italian Organizations with Banking Trojan
Replies
0
Views
1,003
News Archive
silversurfer
silversurfer

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top