• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
Cyber Security News

New Threat Group Reviews Screenshots Before Striking

You are here: Home / General Cyber Security News / New Threat Group Reviews Screenshots Before Striking
February 10, 2023

Security scientists have discovered a new financially enthusiastic menace group employing customized instruments to identify and pursue high-price targets for information and facts theft.

Named TA866 by Proofpoint, the group may have been lively given that 2019, though most the latest exercise started off in all-around October 2022.

It claimed the group appears to be monetarily inspired, whilst there could be some overlap with nation point out activity.

✔ Approved From Our Partners
AOMEI Backupper Lifetime

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code


“Assessment of historic associated routines suggests a doable, additional espionage objective,” the report noted.

Proofpoint dubbed the new campaign, which was ongoing as of January 2023, as “Screentime” thanks to the ways employed by the group to whittle down a huge pool of prospective victims to the most lucrative targets.

In November 2022, TA866 massively scaled up its procedure to ship out thousands or tens of thousands of phishing email messages two to four instances for every 7 days. In just two days in January over 1000 American and German organizations have been focused, Proofpoint explained.

“The e-mail appeared to use thread hijacking, a ‘check my presentation’ entice, and contained destructive URLs that initiated a multi-phase attack chain,” it stated.

If victims consider the bait, a custom made installer acknowledged as WasabiSeed will be downloaded and installs a 2nd bespoke piece of malware named Screenshotter.

“This is a utility with a one functionality of having a JPG screenshot of the user’s desktop and publishing it to a remote C2 through a Put up to a hardcoded IP handle,” Proofpoint defined. “This is valuable to the threat actor all through the reconnaissance and victim profiling phase.”

If the actor is satisfied that the victim signifies a dollars-earning option, they will obtain even more write-up-exploitation tools, such as AHK Bot factors which accomplish reconnaissance on the target’s Active Directory area.

“The Advertisement profiling is primarily concerning as comply with-on functions could lead to compromises on all area-joined hosts,” stated Proofpoint.

 The attacker then loads the Rhadamanthys Stealer – an off-the-shelf malware made to steal crypto wallets, steam accounts, passwords from browsers, FTP clientele, chat purchasers, email clients, VPN configurations, cookies and files.

The performing hours of the group are mentioned to align with a Russian danger actor.


Some parts of this posting are sourced from:
www.infosecurity-magazine.com

Previous Post: «u.k. and u.s. sanction 7 russians for trickbot, ryuk, and U.K. and U.S. Sanction 7 Russians for TrickBot, Ryuk, and Conti Ransomware Attacks
Next Post: Refund and Invoice Scams Surge in Q4 Cyber Security News»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • Telegram, WhatsApp Trojanized to Target Cryptocurrency Wallets
  • Pro-Russian Winter Vivern APT Targets Governments and Telecom Firm
  • Google Exposes 18 Zero-Day Flaws in Samsung Exynos Chips
  • Free decryptor released for Conti ransomware variant infecting hundreds of organisations
  • Bitwarden to release fix for four-year-old vulnerability
  • THN Webinar: 3 Research-Backed Ways to Secure Your Identity Perimeter
  • New GoLang-Based HinataBot Exploiting Router and Server Flaws for DDoS Attacks
  • A New Security Category Addresses Web-borne Threats
  • ICO Reprimands Metropolitan Police for Data Snafu
  • Lookalike Telegram and WhatsApp Websites Distributing Cryptocurrency Stealing Malware

Copyright © TheCyberSecurity.News, All Rights Reserved.