Hackers Targeting U.S. and German Firms Monitor Victims' Desktops with Screenshotter

2023-02-13 07:44

A previously unknown threat actor has been targeting companies in the U.S. and Germany with bespoke malware designed to steal confidential information.

The attachments range from macro-laced Microsoft Publisher files to PDFs with URLs pointing to JavaScript files.

Irrespective of the method used, executing the downloaded JavaScript file leads to an MSI installer that unpacks a VBScript dubbed WasabiSeed, which functions as a tool to fetch next-stage malware from a remote server.

A successful reconnaissance phase is followed by the distribution of more malware for post-exploitation, with select attacks deploying an AutoHotKey-based bot to drop an information stealer named Rhadamanthys.

Proofpoint said the URLs used in the campaign involved a traffic direction system called 404 TDS, enabling the adversary to serve malware only in scenarios where the victims meet a specific set of criteria, such as geography, browser application, and operating system.

The attacks are no different from those using other types of malicious Office files, wherein the email recipient is duped into opening the document and clicking on a fake button, which results in the execution of embedded HTA code to retrieve Qakbot malware.

News URL

https://thehackernews.com/2023/02/hackers-targeting-us-and-german-firms.html

#desktop #german #hacker