On February 8th, Proofpoint reported on a new threat actor referred to as TA886, which it discovered targeting organizations in the United States and Germany using custom malware called “Screenshotter.” TA886 utilizes a few different initial attack vectors, all delivered via email. While one technique involved directly attaching malicious Microsoft Publisher files to the email, three other techniques relied on users to click on malicious links that would then be opened in the browser.
The attackers drastically increased the scale of the attacks once they switched to the browser-based attacks, ramping up from a limited number of emails to a small group of companies with the initial Publisher attack vector, to tens of thousands malicious emails per week with the browser-accessed URL vector.
Once these URLs are loaded, the Screenshotter malware takes screenshots of the victim’s machine and sends them back to the attacker’s server for review. The attackers evaluate the screenshots and decide whether the victim is of value, dropping additional custom payloads that can include a domain profiler script and an info-stealer named “Rhadamanthys” that is loaded into memory. Once these individual tools are loaded, the attackers can steal data and credentials from the machine and map out the victim’s network for possible future lateral movement.
How can modern browser protection solutions prevent this attack?
To prevent these types of attacks, organizations can use advanced browser protection technology like ConcealBrowse’s secure browsing plugin. This plugin blocks phishing and other malicious websites and prevents users from entering login credentials on fake login pages. The technology uses computer vision to detect and block phishing websites, as well as an advanced decision engine that identifies known and suspected malicious URLs so that they can be blocked.
ConcealBrowse’s secure browser extension identifies malicious links wherever they are clicked. This means users of ConcealBrowse are proactively protected from the malicious web sites containing the Screenshotter malware, regardless of whether they receive the link in the email or from another vector.
The discovery of TA886 and their Screenshotter malware highlights the need for organizations to use browser-hardening solutions like ConcealBrowse’s secure browser extension to protect against sophisticated attacks. With ConcealBrowse, organizations can prevent attackers from stealing sensitive information and reduce the risk of data breaches and financial loss.
Written by: Conceal Research Team