New Screenshotter malware launched

Share post:

A hacker has created new malware that captures screenshots and identifies high-value targets. The malware, dubbed “Screenshotter,” has been discovered to be capable of taking screenshots of infected computers, giving hackers access to a wealth of sensitive data.

A new threat actor identified as TA886 is spreading the malware, which targets organizations and individuals in the United States and Germany. This malware is thought to be used by attackers to gather information about their targets, such as login credentials and other sensitive data. Proofpoint discovered it in October 2022, and the security firm reported that it continued into 2023.

It can steal cryptocurrency wallets, credentials, and cookies stored in web browsers, FTP clients, Steam accounts, Telegram and Discord accounts, VPN configurations, and email clients, among other things.

When the Screenshotter malware is delivered to the target’s computer via a malicious email or website, the attack begins. Once installed, the malware begins capturing screenshots of the infected computer and sending them back to the attacker. The malware is capable of evading traditional antivirus software, making detection even more difficult.

The threat actor targets victims through phishing emails that contain Microsoft Publisher (.pub) attachments containing malicious macros, URLs linking files containing macros, or PDFs containing URLs that download dangerous JavaScript files. According to Proofpoint, the number of emails sent in TA886 increased exponentially in December 2022 and continued to rise in January 2023, with the emails written in either English or German depending on the target.

If the recipients of these emails click on the URLs, a multi-step attack chain is launched, which results in the download and execution of “Screenshotter,” one of TA886’s custom malware tools. This tool collects JPG screenshots from the victim’svictim’s machine and sends them to the threat actor’sactor’s server for analysis.

The attackers then manually review these screenshots to determine whether the victim is valuable. This assessment could include having the Screenshotter malware take more screenshots or dropping additional custom payloads such as a domain profiler script that sends AD (Active Directory) domain details to the C2. Also included is a malware loader script (AHK Bot loader) that loads an information stealer into memory.

The sources for this piece include an article in BleepingComputer.

Featured Tech Jobs


Related articles

Google Play introduces new biometric verification with a user warning

Google has recently announced updates to the biometric verification process for Google Play purchases, aiming to bolster security...

Cyber Security Today, Week in Review for week ending Friday April 19, 2024

On this episode Jen Ellis, co-chair of the Ransomware Task Force, talks about ways of fighting one of the biggest cyber threats to IT d

Cyber Security Today, April 19, 2024 – Police bust phishing rental platform, a nine-year old virus found on Ukrainian computers, and more

This episode reports on a threat actor targeting governments in the Middle East with a novel way of hiding malware is going international

Controversial expansion of US surveillance powers nears Senate vote

The US Senate is poised to vote on a significant expansion of Section 702 of the Foreign Intelligence...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways