Screentime detected in October 2022
Proofpoint has been keeping an eye on some evolving financially motivated activity since October 2022 that they’re calling “Screentime.” It all starts with a sneaky email with a malicious attachment or link that leads to malware called WasabiSeed and Screenshotter. In some cases, the attackers even use AHK Bot and Rhadamanthys Stealer after they’ve gotten in.
The TA866 group
Proofpoint is keeping tabs on the bad guys, who they’ve dubbed TA866, and they think they’re a well-organized group with some serious skills and resources at their disposal. The attacks have mainly been targeting organizations in the US, but there have been a few instances of hits in other countries too. All industries are being affected.
How the Screentime attack works
The initial email campaigns had limited numbers of emails and targeted a small number of companies, but as the attackers switched to using links, the scale of their operation grew and the number of emails increased dramatically. In January 2023, the frequency of the campaigns slowed down, but the number of emails skyrocketed.
If someone falls for the trap and clicks on the link, the attack chain starts rolling. The link leads to a filter (404 TDS) that redirects the user to download a JavaScript file, which then downloads and runs an MSI package that installs WasabiSeed. This script then downloads Screenshotter, which takes screenshots of the victim’s screen and sends them back to the attackers.
The attackers can then manually examine the screenshots to decide if they want to proceed with more attacks. If they do, they can use the WasabiSeed loop to download AHK Bot, which is a collection of scripts that can do things like figure out the machine’s AD domain and steal information like passwords and crypto wallets.
Attacker’s routine and method
Proofpoint has noticed that the attackers seem to be active between 2am and 2pm EST, but they only have a small amount of data to go on. They’ve also found some Russian language comments in the code for AHK Bot.
Hundreds of random URLs in the format https://[domain.tld]/[a-z0-9]{5} were observed in this campaign. The domains involved were registered on the day of the campaign. These domains were previously registered, expired, and then re-sold to the TDS operator. The campaign involved 20 domains, such as southfirstarea[.]com and black-socks[.]org, hosted on IP addresses 178.20.45[.]197 and 185.180.199[.]229.
Similarity to other attacks suggests same group of attackers
There are some similarities between Screentime and another attack called Asylum Ambuscade that Proofpoint reported on in March 2022. Both have similar goals (financially motivated or espionage) and use similar tools (AHK Bot and WasabiSeed/SunSeed). However, the targets are different. Proofpoint thinks these Screentime attacks are likely being carried out by the same group of attackers, but they’re not 100% sure.
Image Credits
In-Article Image Credits
Computer virus cybersecurity graphic via Wikipedia Commons with usage type - Creative Commons LicenseFeatured Image Credit
Computer virus cybersecurity graphic via Wikipedia Commons with usage type - Creative Commons License
