Phishing Campaigns Targeting German and U.S. Organizations with Multiple Malware

Proofpoint researchers reported multiple phishing campaigns and attributed the activity to the likely financially-motivated TA866, which they assess is a new threat group.

Posted on February 13, 2023
Lee Clark, RH-ISAC Cyber Threat Intel Analyst & Writer

On February 8, 2023, Proofpoint researchers reported multiple phishing campaigns targeting organizations in multiple industries in the U.S. and Germany.

Context

Proofpoint attributes the activity to the likely financially-motivated TA866, which they assess is a new threat group. The campaign is currently active and has been since at least October 2022.

Technical Details

The emails leveraged in the campaigns reportedly contained Publisher files in October and November 2022 but the threat group pivoted to using URLs in December 2022. The URLs lead to 404TDS (Traffic Distribution System), which researchers assess is valuable to threat actors for its ability to filter traffic.

According to the report, the campaigns deliver two custom malware, WasabiSeed and Screenshotter, and analyze activity on targeted machines through screenshots before installing AHK Bot and the Rhadamanthys infostealing malware.

According to the report, “WasabiSeed is a simple VBS downloader which repeatedly uses Windows Installer to connect to the C2 server looking for MSI packages to download and run.”

Additionally, Screenshotter “is a utility with a single function of taking a JPG screenshot of the user’s desktop and submitting it to a remote C2 via a POST to a hardcoded IP address.”

Researchers also reported details of AHK Bot, which was only delivered in instances where threat actors found interesting content on victim devices. AHK Bot is reportedly “a collection of separate AutoHotKey scripts. Many of them share the same hardcoded C2 address (which is different from the WasabiSeed C2 address) and use the same C: drive serial in the URL path.”

Finally, researcher reported details of the Rhadamanthys stealer, which includes functions such as: “stealing crypto wallets, steam accounts, passwords from browsers, FTP clients, chat clients (e.g. Telegram, Discord), email clients, VPN configurations, cookies, grab files, etc.”

IOCs

Proofpoint researchers provided the following indicators of compromise (IOCs):

Indicator	Type	Notes
southfirstarea[.]com	Domain	404 TDS domain
peak-pjv[.]com	Domain	404 TDS domain
otameyshan[.]com	Domain	404 TDS domain
thebtcrevolution[.]com	Domain	404 TDS domain
annemarieotey[.]com	Domain	404 TDS domain
expresswebstores[.]com	Domain	404 TDS domain
styleselect[.]com	Domain	404 TDS domain
mikefaw[.]com	Domain	404 TDS domain
fgpprlaw[.]com	Domain	404 TDS domain
duncan-technologies[.]net	Domain	404 TDS domain
black-socks[.]org	Domain	404 TDS domain
virtualmediaoffice[.]com	Domain	404 TDS domain
samsontech[.]mobi	Domain	404 TDS domain
footballmeta[.]com	Domain	404 TDS domain
gfcitservice[.]net	Domain	404 TDS domain
listfoo[.]org	Domain	404 TDS domain
duinvest[.]info	Domain	404 TDS domain
shiptrax24[.]com	Domain	404 TDS domain
repossessionheadquarters[.]org	Domain	404 TDS domain
bluecentury[.]org	Domain	404 TDS domain
d934d109f5b446febf6aa6a675e9bcc 41fade563e7998788824f56b3cc16d1ed	SHA256	JavaScript “Document_24_jan-3559116.js”
hxxp[:]//79[.]137.198.60/1/ke.msi	URL	JavaScript Downloading MSI 1 (WasabiSeed Installer)
29e447a6121dd2b1d1221821bd6c4 b0e20c437c62264844e8bcbb9d4be35f013	SHA256	WasabiSeed Installer MSI “ke.msi”
292344211976239c99d62be021af2f4 4840cd42dd4d70ad5097f4265b9d1ce01	SHA256	OCDService.vbs (WasabiSeed) inside ke.msi
hxxp[:]//109[.]107.173.72/%serial%	URL	WasabiSeed downloading payloads (Screenshotter, AHK Bot)
02049ab62c530a25f145c0a5c48e39 32fa7412a037036a96d7198cc57cef1f40	SHA256	Screenshotter Installer MSI
d0a4cd67f952498ad99d78bc081c98af bef92e5508daf723007533f000174a98	SHA256	Screenshotter component app.js
6e53a93fc2968d90891db6059bac49e 975c09546e19a54f1f93fb01a21318fdc	SHA256	Screenshotter component lumina.exe
322dccd18b5564ea000117e90dafc1b4 bc30d256fe93b7cfd0d1bdf9870e0da6	SHA256	Screenshotter component index.js
hxxp[:]//109[.]107.173.72/screenshot/%serial%	URL	Screenshotter submitting an image to C2
1f6de5072cc17065c284b21acf4d34b 4506f86268395c807b8d4ab3d455b036b	SHA256	AHK Bot installer MSI
3242e0a736ef8ac90430a9f272ff30a8 1e2afc146fcb84a25c6e56e8192791e4	SHA256	AHK Bot Looper component “au3.exe”
3db3f919cad26ca155adf8c5d9cab3e3 58d51604b51b31b53d568e7bcf5301e2	SHA256	AHK Bot Looper component “au3.ahk”
hxxp[:]//89[.]208.105.255/%serial%-du2	URL	AHK Bot Looper C2
hxxp[:]//89[.]208.105.255/%serial%	URL	AHK Bot Domain Profiler C2
hxxp[:]//89[.]208.105.255/download?path=e	URL	AHK Bot Stealer Loader C2
moosdies[.]top	Domain	Rhadamanthys Stealer C2

Subscribe to the Blog

Receive news and RH‑ISAC updates for cybersecurity practitioners from retail, hospitality, and other customer-facing companies, straight to your inbox.

Subscribe Now

Phishing Campaigns Targeting German and U.S. Organizations with Multiple Malware

Proofpoint researchers reported multiple phishing campaigns and attributed the activity to the likely financially-motivated TA866, which they assess is a new threat group.

Context

Technical Details

IOCs

Subscribe to the Blog

More Recent Blog Posts

GitLab Pipeline Vulnerability Affects Community and Enterprise Versions; Patch Available

SolarWinds Serv-U Vulnerability Under Active Attack; Patch Available

CDK Global Cyberattack Impacts Thousands of US Car Dealerships