In recent news, a new threat actor referred to as TA886 has been discovered by Proofpoint targeting organizations in the United States and Germany using custom malware called “Screenshotter.” This malware takes screenshots of the victim’s machine and sends them back to the attacker’s server for review. The attackers evaluate the screenshots and decide whether the victim is of value, dropping additional custom payloads that can include a domain profiler script and an info-stealer named “Rhadamanthys” that is loaded into memory. Once these individual tools are loaded, the attackers can steal data and credentials from the machine and map out the victim’s network for potential future lateral movement.
According to reports, TA886 utilizes a few different initial attack vectors, all delivered via email. One technique involves directly attaching malicious Microsoft Publisher files to the email, while three other techniques rely on users to click on malicious links that would then be opened in the browser. The attackers drastically increased the scale of the attacks once they switched to the browser-based attacks, ramping up from a limited number of emails to a small group of companies with the initial Publisher attack vector, to tens of thousands of malicious emails per week with the browser-accessed URL vector.
These attacks highlight the need for modern browser protection solutions like ConcealBrowse’s secure browsing plugin, which can prevent such attacks by detecting and blocking phishing and other malicious websites. The plugin uses computer vision to detect and block phishing websites and an advanced decision engine that identifies known and suspected malicious URLs to block them. This means that users of ConcealBrowse are proactively protected from malicious websites containing the Screenshotter malware, regardless of how the link was delivered.
Using advanced browser protection technology like ConcealBrowse can help organizations prevent attackers from stealing sensitive information and reduce the risk of data breaches and financial loss. It is also essential to educate employees on how to recognize and avoid phishing emails and links to prevent such attacks.
To protect against attacks like the Screenshotter malware, organizations should follow these best practices:
- Train employees to recognize phishing emails and suspicious links.
- Use modern browser protection solutions like ConcealBrowse’s secure browsing plugin to block phishing and other malicious websites.
- Use email filtering technology to identify and block emails containing malicious attachments or links.
- Keep all software up to date with the latest security patches to prevent vulnerabilities from being exploited.
- Implement a strong password policy and use two-factor authentication to secure accounts.
- Regularly backup important data to protect against data loss in case of a breach.
In conclusion, the discovery of the Screenshotter malware and the actions of the TA886 threat actor underscore the importance of using advanced browser protection technology like ConcealBrowse’s secure browsing plugin to protect against sophisticated attacks. Organizations must also educate their employees on how to recognize and avoid phishing emails and suspicious links. By implementing these best practices, organizations can reduce the risk of data breaches and financial loss and protect their sensitive information from cybercriminals.