Rewterz Threat Alert –TA866 Leverages WasabiSeed and Screenshotter Malware in Large-Volume Phishing Campaign – Active IOCs

Severity

High

Analysis Summary

The notorious threat actor known as TA866 has returned to the cyber landscape after a nine-month absence with a new large-volume phishing campaign in which it propagates known malware families like Screenshotter and WasabiSeed. The campaign was observed earlier this month by researchers to have involved thousands of invoice-themed emails that mainly targeted North America.

The security researchers said that the emails contained decoy PDF files with OneDrive URLs. Upon clicking them, it started a multi-step infection chain that finally deployed the malware payload which is a variant of the Screenshotter and WasabiSeed custom toolset. The threat actor was first discovered in February 2023 when it was linked to a campaign called Screentime that also spread WasabiSeed. WasabiSeed is a Visual Basic script dropper tool used to download Screenshotter into the targeted system, which then takes screenshots of the desktop regularly and exfiltrates the data to an actor-controlled domain.

Evidence suggests that TA866 may be financially motivated because Screenshotter behaves as a tool for reconnaissance used for identifying targets of high value to carry out post-exploitation and deploy an AutoHotKey (AHK)-based bot that ultimately drops the Rhadamanthys information stealer. There are also overlaps discovered by researchers between the Screentime campaign and another intrusion set named Asylum Ambuscade. This threat group has been active since 2020 and mainly carries out cyber espionage operations.

The latest attack chain leveraging phishing emails uses macro-enable Publisher attachments to PDFs containing a rogue OneDrive link. The campaign relies on a spam service that is provided by TA571 designed to spread malicious PDFs. TA571 is a spam distributor actor that sends high-volume spam email campaigns to propagate and download a multitude of malware for their cybercriminal customers. This malware includes NetSupport RAT, AsyncRAT, PikaBot, IcedID, QakBot, and DarkGate, allowing the threat actors to execute commands and commit information theft, execution of arbitrary programs, and cryptocurrency mining.

Researchers first uncovered the resurfacing of TA866 due to a shipping-related phishing email campaign that mainly targeted the manufacturing industry to distribute Formbook and Agent Tesla malware. The development also follows the discovery of a new evasion tactic that takes advantage of the caching mechanism of security software and goes undetected by incorporating a Call to Action (CTA) URL pointing to a trusted website in the phishing email.

When a URL like this gets scanned by the security service, it is given a safe verdict which is then stored in its cache for some time, meaning that if the URL is encountered again within that set amount of time, it is not reprocessed and the cached result is served.

Cybercriminals are leveraging this quirk by waiting until the security vendors process the CTA URL and cache their verdict before changing the link to redirect to the malicious website. Since the verdict is harmless, the email easily reaches the victim’s inbox. When the email is opened and the link or button within the email is clicked, the unsuspecting user is redirected to the phishing page.

Impact

• Cyber Espionage
• Exposure to Sensitive Data
• Financial Loss

Indicators of Compromise

MD5

• 8814621c7ab165e821a0f1e79d801428
• e6d1ee1f4f7abc5cada628d2f1c8db5f
• e2e694f471846e4004b30b673f217296

SHA-256

• 8277dff37fb068c3590390ca1aa6b96fd8b4f93757d5070f68ee8894e37713b1
• c9329007524b3da130c8635a226c8cbe3a4e803b813f5b2237ed976feb9d2c8d
• aec5bf19e72ed577b0a02cffeb4f5cc713ab4478267ce348cf337b508f2fcade

SHA-1

• 29e85c9dc589ed8d5a17d5070e4ce5ef2750f747
• 1615ef968c5b25c576042768ebb2b1291c943476
• 3daa94a97871bae495e4cb925b591287b2c89505

URL

• http://193.233.133.179/screenshot/

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
• Ensure that all systems, software, and applications are up-to-date with the latest security patches. Regularly check for and apply updates to eliminate known vulnerabilities that attackers could exploit.
• Educate employees about phishing emails, social engineering tactics, and safe online behavior. Effective training can reduce the likelihood of users inadvertently initiating an attack.
• Regularly back up critical data and systems to offline or isolated storage. Test the backup restoration process to ensure that it is effective in case of an attack.
• Deploy strong endpoint protection solutions that include advanced threat detection, behavior monitoring, and real-time protection against malware and ransomware.
• Employ robust email filtering and anti-phishing solutions to detect and prevent malicious attachments and links from reaching user inboxes.
• Conduct regular penetration testing and security assessments to identify vulnerabilities and weaknesses in your network and systems. Address any findings promptly.
• Thoroughly assess third-party vendors and software before integrating them into your environment. Ensure they have strong security practices and adhere to cybersecurity standards.