New Screenshotter malware launched

A hacker has created new malware that captures screenshots and identifies high-value targets. The malware, dubbed “Screenshotter,” has been discovered to be capable of taking screenshots of infected computers, giving hackers access to a wealth of sensitive data.

A new threat actor identified as TA886 is spreading the malware, which targets organizations and individuals in the United States and Germany. This malware is thought to be used by attackers to gather information about their targets, such as login credentials and other sensitive data. Proofpoint discovered it in October 2022, and the security firm reported that it continued into 2023.

It can steal cryptocurrency wallets, credentials, and cookies stored in web browsers, FTP clients, Steam accounts, Telegram and Discord accounts, VPN configurations, and email clients, among other things.

When the Screenshotter malware is delivered to the target’s computer via a malicious email or website, the attack begins. Once installed, the malware begins capturing screenshots of the infected computer and sending them back to the attacker. The malware is capable of evading traditional antivirus software, making detection even more difficult.

The threat actor targets victims through phishing emails that contain Microsoft Publisher (.pub) attachments containing malicious macros, URLs linking files containing macros, or PDFs containing URLs that download dangerous JavaScript files. According to Proofpoint, the number of emails sent in TA886 increased exponentially in December 2022 and continued to rise in January 2023, with the emails written in either English or German depending on the target.

If the recipients of these emails click on the URLs, a multi-step attack chain is launched, which results in the download and execution of “Screenshotter,” one of TA886’s custom malware tools. This tool collects JPG screenshots from the victim’svictim’s machine and sends them to the threat actor’sactor’s server for analysis.

The attackers then manually review these screenshots to determine whether the victim is valuable. This assessment could include having the Screenshotter malware take more screenshots or dropping additional custom payloads such as a domain profiler script that sends AD (Active Directory) domain details to the C2. Also included is a malware loader script (AHK Bot loader) that loads an information stealer into memory.

The sources for this piece include an article in BleepingComputer.

IT World Canada Staff
IT World Canada Staff
The online resource for Canadian Information Technology professionals.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web