New phishing campaign uses screenshot to deliver malware

February 21, 2023 - TuxCare PR Team

Proofpoint Threat Research researchers have discovered a new phishing campaign that employs screenshots to deliver malware payload to unsuspecting victims.

The attacker sends an email with a screenshot attached that, when opened, launches a macro that downloads and executes the malware. Because the emails are disguised as legitimate internal emails from the company’s IT department, the attackers appear to be targeting high-level executives.

According to Proofpoint, for a compromise to be successful, a user must click on a malicious link and, if successfully filtered, interact with a JavaScript file to download and run additional payloads. “Organizations should educate end users about this technique and encourage users to report suspicious emails and other activities,” said the researchers.

The phishing emails are urgent in nature, requesting that the recipients review an attached document or report. The email instructs the recipient to access the document by clicking on a button or a link, which then downloads the malware onto the recipient’s device.

This campaign’s malware is a Remote Access Trojan (RAT), which allows the attacker to gain access to and control of the victim’s device. Keystrokes can be captured, screenshots taken, and sensitive data such as passwords, emails, and financial information stolen.

The screenshotter is a simple utility that takes a JPG screenshot of the user’s desktop and sends it to a remote C2 via a POST to a hardcoded IP address. This aids the threat actor during the reconnaissance and victim profiling stages. Proofpoint discovered several Screenshotter variants, including Python-based, AutoIT-based, and JavaScript/IrfanView-based variants. All perform the same function, and the network protocol is the same.

The use of screenshots in this campaign is a novel tactic that makes traditional email security solutions difficult to detect and block phishing emails. The attackers can easily avoid detection by using a legitimate screenshot from the targeted company, which makes the message appear more credible to the recipient.

The Screenshotter code is contained within an MSI package (SHA256: 02049ab62c530a25f145c0a5c48e3932fa7412a037036a96d7198cc57cef1f40). The package includes lumina.exe, an unmodified copy of IrfanView version 4.62, and app.js, the MSI package’s first file. It executes lumina.exe, which captures a screenshot of the desktop and saves it as a JPG, as well as index.js, the second file executed by the MSI package.

The sources for this piece include an article in SCMedia.

Whatch this news on our Youtube Channel: https://www.youtube.com/watch?v=gRtQZ3ljvrE

Summary