Screenshotter Malware

The Screenshotter malware is a newly discovered custom-made threat designed for the purpose of surveillance and data theft. The cybercrminal group behind this threat is tracked as TA886, and it is using the threatening tool to target individuals in the United States and Germany.

According to researchers, the Screenshotter malware is created to evaluate the potential victims prior to launching a full-scale attack. This allows TA886 to determine whether the potential payoff from the attack is worth the effort. The malware captures screenshots of the victim's device, which can then be used to gather information about the victim's activities and preferences.

The Screenshotter malware campaign was first identified in October 2022, but its activity has increased significantly in 2023. This highlights the continued evolution of malware and the need for individuals to remain vigilant and proactive in protecting their devices and personal information. The attack operations involving Screenshotter are being grouped by cybersecurity researchers under the name Screentime campaigns.

Attack Campaign and Infection Vector for the Delivery of the Screenshotter Malware

The targets of the cybercriminals are sent phishing emails. The attackers use several different lures, with one example being a request to check the linked presentation. However, the provided link is compromised and leads to a weaponized file. The victims may receive an attachment in the form of an unsafe Microsoft Publisher file (.pub), a link that leads to .pub files with corrupted macros, or a contaminated PDF that downloads JavaScript files when opened. The malware infection is initiated when the recipient clicks on the links in the email.

The Screentime campaigns that were observed employed a multi-stage infection chain. To ensure persistence on the breached devices, the TA886 threat actors first deployed a payload named WasabiSeed. This payload serves as a foothold for the attackers to then infect the system with the Screenshotter malware.

Once the system is infected, the Screenshotter malware begins taking screenshots of the desktop in the JPG image format and transmitting them to the cybercriminals. The screenshots are then meticulously reviewed by the threat actors, who use the collected information to decide their next moves.