A report released by Proofpoint on January 18, 2024 indicates that, after nine months of inactivity, the actors tracked as TA571 and TA866 engineered a phishing campaign targeting primarily North America with malware consistent with Screenshoter. TA571 is responsible for delivery of the phishing campaign, while TA866 controls and operates Screenshotter.
The threat is delivered via a phishing email presenting a PDF attachment which lures the victims to interact with a OneDrive URL where a JavaScript file is hosted. In order to download the first stager, the victim needs to launch the JavaScript. In this respect, social engineering is a critical part of the infection chain which would alt here if the user were to realize the threat.
If the JavaScript is launched, the victim's host would connect to a command-and-control (C2) server to fetch the WasabiSeed downloader which, in turn, would be responsible to retrieve the final stage payload consistent with the Screenshotter trojan.
The trojan takes its name from its primary capability to take a screenshot of the desktop and exfiltrate that to the C2. As a result, provided intelligence about TA866 is still limited, the campaign appears to be espionage-motivated.
Prior analysis of TA866 suggests a linkage to Russia. This assessment is based upon the following observations:
The actor has historically targeted English and German speaking countries. North America is the target of the campaign reported in 2024 and, in the campaign reported in February 2023, the actor leveraged English- and German-language phishing emails.
Russian-language comments provided with the code included in the AHK Bot, which was part of the infection chain of the previous Screenshotter campaign reported in February 2023.
During the 2023 campaign, the group operated in a timeframe consistent with UTC+2 and UTC+3, which is partially consistent with the Western Russia.
While the victimology appears to clearly point at Russia, the other two points are less solid and require further examination from an analytical standpoint:
The usage of Russian language serves as a piece of evidence of the language the malware developers used rather than constituting evidence for an attribution of the attack. Russian-speaking malware developers may be working for an operation unrelated to Russia, or Russian may be used as a common language among developers of other nationalities, including various countries in Eastern Europe.
The geographical area identified by the UTC+2 and UTC+3 is quite vast and encompasses a territory going from Spain to Western Russia. Such a vast geography is hardly specific enough to make an attribution.
Based on the alternative hypotheses above, the victimology appears to be only primary source of attribution to Russia. That is quite a strong point but it is still inconclusive. Further research on this actor is required to shed light on the threat it represents.
Comments