CRIL uncovered a Python-based screenshotter malware campaign that exfiltrates captured images via FTP, distributed through disguised RAR archives containing a loader. Proofpoint links similar activity to TA866, noting a Tatar-language target tied to late August Republic Day timing and PowerShell-driven post-exploitation capabilities. #TA866 #WasabiSeed
Keypoints
- Python-based malware captures screenshots and uploads them to a remote FTP server.
- The initial distribution leverages a RAR containing a legitimate video and a disguised executable with a themed icon.
- Campaigns target Tatar language-speaking users in a specific Russian region and align with Republic Day timing (late August).
- A PowerShell-based loader downloads and deploys additional payloads from Dropbox, including ZIP archives with executables and scripts.
- The malware uses a scheduled task (pyisgit.exe) and a looped screenshot process (sc_new.ps1) to continuously capture data and exfiltrate it.
- Post-exploitation activity may include dropping tools like Cobalt Strike beacons, RATs, stealers (e.g., Rhadamanthys Stealer/AHK Bot) after initial access.
MITRE Techniques
- [T1566.001] Phishing – This malware could reach users via phishing emails. Quote: “This malware could reach users via phishing emails.”
- [T1204] User Execution – The user opens the malicious executable file from the spam attachment. Quote: “The user opens the malicious executable file from the spam attachment.”
- [T1059] Command and Scripting Interpreter – PowerShell scripts are used for malicious operations such as taking screenshots, transferring via FTP, etc. Quote: “PowerShell scripts are used for malicious operations such as taking screenshots, transferring via FTP, etc.”
- [T1202] Indirect Command Execution – PowerShell commands are executed using malicious executables. Quote: “PowerShell commands are executed using malicious executables.”
- [T1113] Screen Capture – PowerShell script taking screenshots. Quote: “PowerShell script taking screenshots.”
- [T1119] Automated Collection – PowerShell script takes screenshots in a loop and stores them locally. Quote: “PowerShell script takes screenshots in a loop and stores them locally.”
- [T1053.005] Scheduled Task – pyisgit.exe getting executed at every user login and periodically. Quote: “pyisgit.exe getting executed at every user login and periodically.”
- [T1029] Scheduled Transfer – FTP is used for transferring the data. Quote: “FTP is used for transferring the data.”
Indicators of Compromise
- [Hash] File Hashes – 675fcbfcd07026269302eb2efcadaf98, 16a78de42683a4524918fde525d5449f4442efaf, and 8f60de2780490b46083d774eb9921d823c6761f252c7a216265ce7339b8d90e1 (Malicious RAR file)
- [File Name] Filenames – С Днем Республики Татарстан!.mp4, С Днем Республики.jpg.exe, filename.zip (plus 2 more)
- [URL] DropBox ZIP – hxxps://www.dropbox[.]com/scl/fi/hq90fosq6l819auwti5u4/sc3.zip?rlkey=hxnt4ujg2r61cvdim77cwqnlc&dl=1
- [URL] Remote FTP server – fxp://ftpupload3.dfiles[.]eu/
Read more: https://cyble.com/blog/tatar-language-users-in-the-crosshairs-of-python-screenshotter/