Here's your friendly reminder to double check any URL you click or email you open. Most email clients will warn you about common malicious signatures, and corporate email systems typically flag messages from external sources. It's good practice to put any such email under extra scrutiny before clicking anything.
Enterprise security company Proofpoint, tracking the activity cluster under the name Screentime, reported that a group dubbed TA866 launched attacks via emails containing attachments or URLs that lead to malware. The attachments could be macro-laced Microsoft Publisher files, PDFs with URLs pointing to JavaScript files, or similar.
Whatever the delivery vehicle, executing the downloaded JavaScript file leads to an MSI installer that unpacks a VBScript called WasabiSeed. This then downloads a payload named Screenshotter, a utility that periodically takes screenshots of the victim's desktop and transmits them back to a command-and-control server. Within the Cyber Kill Chain, these attacks heavily support the reconnaissance stage.
Stay cautious. When in doubt, don't click.
Originally published on LinkedIn.