New Screenshotter malware launched

Share post:

A hacker has created new malware that captures screenshots and identifies high-value targets. The malware, dubbed “Screenshotter,” has been discovered to be capable of taking screenshots of infected computers, giving hackers access to a wealth of sensitive data.

A new threat actor identified as TA886 is spreading the malware, which targets organizations and individuals in the United States and Germany. This malware is thought to be used by attackers to gather information about their targets, such as login credentials and other sensitive data. Proofpoint discovered it in October 2022, and the security firm reported that it continued into 2023.

It can steal cryptocurrency wallets, credentials, and cookies stored in web browsers, FTP clients, Steam accounts, Telegram and Discord accounts, VPN configurations, and email clients, among other things.

When the Screenshotter malware is delivered to the target’s computer via a malicious email or website, the attack begins. Once installed, the malware begins capturing screenshots of the infected computer and sending them back to the attacker. The malware is capable of evading traditional antivirus software, making detection even more difficult.

The threat actor targets victims through phishing emails that contain Microsoft Publisher (.pub) attachments containing malicious macros, URLs linking to.pub files containing macros, or PDFs containing URLs that download dangerous JavaScript files. According to Proofpoint, the number of emails sent in TA886 increased exponentially in December 2022 and continued to rise in January 2023, with the emails written in either English or German depending on the target.

If the recipients of these emails click on the URLs, a multi-step attack chain is launched, which results in the download and execution of “Screenshotter,” one of TA886’s custom malware tools. This tool collects JPG screenshots from the victim’svictim’s machine and sends them to the threat actor’sactor’s server for analysis.

The attackers then manually review these screenshots to determine whether the victim is valuable. This assessment could include having the Screenshotter malware take more screenshots or dropping additional custom payloads such as a domain profiler script that sends AD (Active Directory) domain details to the C2. Also included is a malware loader script (AHK Bot loader) that loads an information stealer into memory.

The sources for this piece include an article in BleepingComputer.

SUBSCRIBE NOW

Related articles

North Korean Job Scam Targeting IT Job Seekers

North Korea’s Lazarus advanced persistent threat (APT) group has launched a sophisticated campaign, “Operation 99,” targeting freelance software...

Hackers Exploit FastHTTP in High-Speed Microsoft 365 Attacks

Threat actors are employing the FastHTTP Go library to launch high-speed brute-force password attacks on Microsoft 365 accounts...

YouTubers Targeted As Cyberattackers Hide Infostealers in YouTube Comments, Google Search Results

Attackers have found a new way to infect people seeking pirated or cracked software: planting malicious download links...

New macOS Malware Exploits Apple’s Security Features to Stay Hidden and Steal User Data

A newly discovered variant of the Banshee macOS Stealer malware is putting 100 million Apple users at risk...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways