TA866 Threat Actor: WasabiSeed & Screenshotter Malware | Proofpoint US

MITRE Techniques

• [T1566.001] Phishing: Spearphishing Attachment – Initial emails used Publisher attachments with macros and links to JS files to start the attack chain. Quote: ‘Publisher (.pub) attachments with macros’ and ‘URLs linking (via 404 TDS) to Publisher files with macros’
• [T1059.007] Command and Scripting Interpreter: JavaScript – JavaScript downloaded and, if run by the user, downloads and runs an MSI package. Quote: ‘The JavaScript, if run by the user (such as by double clicking), downloads and runs an MSI package’
• [T1059.005] Command and Scripting Interpreter: VBScript – WasabiSeed uses an embedded VBS script OCDService.vbs. Quote: ‘The WasabiSeed script’ and ‘OCDService.vbs (WasabiSeed) inside ke.msi’
• [T1547.001] Boot or Logon Autostart Execution: Startup Folder – WasabiSeed establishes persistence via an LNK file created in the Windows Startup folder. Quote: ‘creates persistence for WasabiSeed via an LNK file “OCDService.lnk” created in the Windows Startup folder’
• [T1113] Screen Capture – Screenshotter takes desktop screenshots as part of reconnaissance. Quote: ‘takes a JPG screenshot of the user’s desktop and submitting it to a remote C2 via a POST to a hardcoded IP address’
• [T1041] Exfiltration Over C2 Channel – Screenshotter posts captured images to the C2. Quote: ‘POST to the same C2 address used by WasabiSeed’
• [T1055] Process Injection – Stealer Loader loads a DLL (Rhadamanthys) from memory. Quote: ‘downloads, decrypts and runs a DLL as bytes from memory’
• [T1082] System Information Discovery (Domain Profiler) – Domain Profiler determines the machine’s AD domain and reports to C2. Quote: ‘determines the machine’s Active Directory (AD) domain and sends it to the C2’
• [T1071.001] Application Layer Protocol: Web Protocols – C2 communications and payloads retrieved over HTTP/POST. Quote: ‘to the C2 server’ via HTTP POST