Phishing Campaigns Targeting German and U.S. Organizations with Multiple Malware

Proofpoint researchers reported multiple phishing campaigns and attributed the activity to the likely financially-motivated TA866, which they assess is a new threat group.
phishing

On February 8, 2023, Proofpoint researchers reported multiple phishing campaigns targeting organizations in multiple industries in the U.S. and Germany.

Context

Proofpoint attributes the activity to the likely financially-motivated TA866, which they assess is a new threat group. The campaign is currently active and has been since at least October 2022.

Technical Details

The emails leveraged in the campaigns reportedly contained Publisher files in October and November 2022 but the threat group pivoted to using URLs in December 2022. The URLs lead to 404TDS (Traffic Distribution System), which researchers assess is valuable to threat actors for its ability to filter traffic.

According to the report, the campaigns deliver two custom malware, WasabiSeed and Screenshotter, and analyze activity on targeted machines through screenshots before installing AHK Bot and the Rhadamanthys infostealing malware.

According to the report, “WasabiSeed is a simple VBS downloader which repeatedly uses Windows Installer to connect to the C2 server looking for MSI packages to download and run.”

Additionally, Screenshotter “is a utility with a single function of taking a JPG screenshot of the user’s desktop and submitting it to a remote C2 via a POST to a hardcoded IP address.”

Researchers also reported details of AHK Bot, which was only delivered in instances where threat actors found interesting content on victim devices. AHK Bot is reportedly “a collection of separate AutoHotKey scripts. Many of them share the same hardcoded C2 address (which is different from the WasabiSeed C2 address) and use the same C: drive serial in the URL path.”

Finally, researcher reported details of the Rhadamanthys stealer, which includes functions such as: “stealing crypto wallets, steam accounts, passwords from browsers, FTP clients, chat clients (e.g. Telegram, Discord), email clients, VPN configurations, cookies, grab files, etc.”

IOCs

Proofpoint researchers provided the following indicators of compromise (IOCs):

Indicator

Type

Notes

southfirstarea[.]com

Domain

404 TDS domain

peak-pjv[.]com

Domain

404 TDS domain

otameyshan[.]com

Domain

404 TDS domain

thebtcrevolution[.]com

Domain

404 TDS domain

annemarieotey[.]com

Domain

404 TDS domain

expresswebstores[.]com

Domain

404 TDS domain

styleselect[.]com

Domain

404 TDS domain

mikefaw[.]com

Domain

404 TDS domain

fgpprlaw[.]com

Domain

404 TDS domain

duncan-technologies[.]net

Domain

404 TDS domain

black-socks[.]org

Domain

404 TDS domain

virtualmediaoffice[.]com

Domain

404 TDS domain

samsontech[.]mobi

Domain

404 TDS domain

footballmeta[.]com

Domain

404 TDS domain

gfcitservice[.]net

Domain

404 TDS domain

listfoo[.]org

Domain

404 TDS domain

duinvest[.]info

Domain

404 TDS domain

shiptrax24[.]com

Domain

404 TDS domain

repossessionheadquarters[.]org

Domain

404 TDS domain

bluecentury[.]org

Domain

404 TDS domain

d934d109f5b446febf6aa6a675e9bcc
41fade563e7998788824f56b3cc16d1ed

SHA256

JavaScript “Document_24_jan-3559116.js”

hxxp[:]//79[.]137.198.60/1/ke.msi

URL

JavaScript Downloading MSI 1 (WasabiSeed Installer)

29e447a6121dd2b1d1221821bd6c4
b0e20c437c62264844e8bcbb9d4be35f013

SHA256

WasabiSeed Installer MSI “ke.msi”

292344211976239c99d62be021af2f4
4840cd42dd4d70ad5097f4265b9d1ce01

SHA256

OCDService.vbs (WasabiSeed) inside ke.msi

hxxp[:]//109[.]107.173.72/%serial%

URL

WasabiSeed downloading payloads (Screenshotter, AHK Bot)

02049ab62c530a25f145c0a5c48e39
32fa7412a037036a96d7198cc57cef1f40

SHA256

Screenshotter Installer MSI

d0a4cd67f952498ad99d78bc081c98af
bef92e5508daf723007533f000174a98

SHA256

Screenshotter component app.js

6e53a93fc2968d90891db6059bac49e
975c09546e19a54f1f93fb01a21318fdc

SHA256

Screenshotter component lumina.exe

322dccd18b5564ea000117e90dafc1b4
bc30d256fe93b7cfd0d1bdf9870e0da6

SHA256

Screenshotter component index.js

hxxp[:]//109[.]107.173.72/screenshot/%serial%

URL

Screenshotter submitting an image to C2

1f6de5072cc17065c284b21acf4d34b
4506f86268395c807b8d4ab3d455b036b

SHA256

AHK Bot installer MSI

3242e0a736ef8ac90430a9f272ff30a8
1e2afc146fcb84a25c6e56e8192791e4

SHA256

AHK Bot Looper component “au3.exe”

3db3f919cad26ca155adf8c5d9cab3e3
58d51604b51b31b53d568e7bcf5301e2

SHA256

AHK Bot Looper component “au3.ahk”

hxxp[:]//89[.]208.105.255/%serial%-du2

URL

AHK Bot Looper C2

hxxp[:]//89[.]208.105.255/%serial%

URL

AHK Bot Domain Profiler C2

hxxp[:]//89[.]208.105.255/download?path=e

URL

AHK Bot Stealer Loader C2

moosdies[.]top

Domain

Rhadamanthys Stealer C2

More Recent Blog Posts

2024 RH-ISAC Cyber Intelligence Summit logo

Register for RH-ISAC Summit

Our biggest event of the year is coming up soon! Join RH-ISAC April 9-11 in Denver for our annual three-day conference featuring interactive, practitioner-led discussions, breakout sessions, and keynote presentations.