A hacker has created new malware that captures screenshots and identifies high-value targets. The malware, dubbed “Screenshotter,” has been discovered to be capable of taking screenshots of infected computers, giving hackers access to a wealth of sensitive data.
A new threat actor identified as TA886 is spreading the malware, which targets organizations and individuals in the United States and Germany. This malware is thought to be used by attackers to gather information about their targets, such as login credentials and other sensitive data. Proofpoint discovered it in October 2022, and the security firm reported that it continued into 2023.
It can steal cryptocurrency wallets, credentials, and cookies stored in web browsers, FTP clients, Steam accounts, Telegram and Discord accounts, VPN configurations, and email clients, among other things.
When the Screenshotter malware is delivered to the target’s computer via a malicious email or website, the attack begins. Once installed, the malware begins capturing screenshots of the infected computer and sending them back to the attacker. The malware is capable of evading traditional antivirus software, making detection even more difficult.
The threat actor targets victims through phishing emails that contain Microsoft Publisher (.pub) attachments containing malicious macros, URLs linking to.pub files containing macros, or PDFs containing URLs that download dangerous JavaScript files. According to Proofpoint, the number of emails sent in TA886 increased exponentially in December 2022 and continued to rise in January 2023, with the emails written in either English or German depending on the target.
If the recipients of these emails click on the URLs, a multi-step attack chain is launched, which results in the download and execution of “Screenshotter,” one of TA886’s custom malware tools. This tool collects JPG screenshots from the victim’svictim’s machine and sends them to the threat actor’sactor’s server for analysis.
The attackers then manually review these screenshots to determine whether the victim is valuable. This assessment could include having the Screenshotter malware take more screenshots or dropping additional custom payloads such as a domain profiler script that sends AD (Active Directory) domain details to the C2. Also included is a malware loader script (AHK Bot loader) that loads an information stealer into memory.
The sources for this piece include an article in BleepingComputer.
