Hacker

A new threat actor tracked as TA866 targets organizations in the United States and Germany with new custom malware to perform surveillance and data theft on infected systems.

The previously unknown cluster of activity was first discovered by Proofpoint in October 2022, with the security firm reporting that it continued into 2023.

The threat actor appears to have financial motivations, performing a preliminary evaluation of breached systems to determine if the target is valuable enough for further intrusion.

Surveilling victims before stealing data

The threat actor targets victims using phishing emails that include Microsoft Publisher (.pub) attachments with malicious macros, URLs linking to .pub files with macros, or PDFs containing URLs that download dangerous JavaScript files.

Proofpoint says the number of emails sent in TA866 increased exponentially in December 2022 and continued upward in January 2023, with the emails written in English or German, depending on the target.

Volumes of phishing email distribution
Volumes of phishing email distribution (Proofpoint)

If the recipients of these emails click on the URLs, a multi-step attack chain is triggered, resulting in the download and execution of "Screenshotter," one of TA866's custom malware tools.

This tool takes JPG screenshots from the victim'svictim's machine and sends them back to the threat actor'sactor's server for review.

Screenshotter component
Screenshotter component (Proofpoint)

The attackers then manually examine these screenshots and decide whether the victim is of value. This evaluation may include having the Screenshotter malware snap more screenshots or dropping additional custom payloads like:

  • A domain profiler script that sends AD (Active Directory) domain details to the C2
  • A malware loader script (AHK Bot loader) that loads an info-stealer into memory

The stealer loaded in memory is named ''Rhadamanthys,'' a malware family seen promoted in underground forums since last summer and becoming more commonly used in attacks.

Part of the stealer's code
Part of the stealer's code (Proofpoint)

Its capabilities include stealing cryptocurrency wallets, credentials, and cookies stored in web browsers, FTP clients, Steam accounts, Telegram and Discord accounts, VPN configurations, and email clients.

Additionally, Rhadamanthys is also capable of stealing files from the breached system.

TA886 attack chain
TA866 attack chain (Proofpoint)

Profiling TA866

Proofpoint says TA866 is actively involved in the attacks, checking the stolen data and sending commands to its malware during times that resemble a regular workday in the UTC+2 or UCT+3 time zone.

When combined with the presence of Russian language variable names and comments in the code of the AHK Bot loader, the clues indicate that TA866 is very likely a Russian threat actor.

Russian comment in AHK Bot loader's code
Russian comment in AHK Bot loader's code (Proofpoint)

Proofpoint has attempted to find overlaps and similarities with past reports describing similar TTPs (techniques, tactics, and procedures), but it could not make any definitive connections.

However, there are signs of the AHK Bot tool being used in previous espionage campaigns.

"Proofpoint assesses with low to moderate confidence that these campaigns were likely performed by TA866 given the similarities in TTPs but the possibility of the tools being used by more than one actor cannot be completely ruled out. Attribution investigation is ongoing." - Proofpoint.

TA866 attacks are still underway, and Proofpoint warns that Active Directory profiling should be a cause of concern, as it could compromise all domain-joined hosts with information-stealing malware.

Related Articles:

Malicious PowerShell script pushing malware looks AI-written

Millions of Docker repos found pushing malware, phishing sites

New Latrodectus malware attacks use Microsoft, Cloudflare themes

CoralRaider attacks use CDN cache to push info-stealer malware

Fake cheat lures gamers into spreading infostealer malware