Colin CowieFeb 14, 2023

Continuing #100DaysOfYara with Day 2️⃣​7️⃣: More practice with the VT module, detecting JavaScript malware
🔗 https://github.com/colincowie/100DaysOfYara_2023/blob/main/January/027/027.md

Recently proofpoint shared research about a new threat group they track as #TA886 that makes use of JavaScript malware:
📖​https://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me

Todays yara rule uses the VirusTotal module to detect JavaScript files that download a .msi sample in the same way TA886's malware does. This rule dug up a lot of low detected samples from this recent campaign!

#IOCs from retrohunting can be found here:
🔗
https://github.com/colincowie/100DaysOfYara_2023/blob/main/January/027/retrohuntin_results.csv

100DaysOfYara_2023/027.md at main · colincowie/100DaysOfYara_2023

#100DaysOfYara is a challenge in which participants aim to create 100 Yara rules over the course of 100 days. This could involve creating new rules to identify previously unknown malware, or updati...

GitHub
securityaffairsFeb 10, 2023
New #TA886 group targets companies with custom #Screenshotter #malware
https://securityaffairs.com/142077/cyber-crime/ta886-group-screenshotter-malware.html
#securityaffairs #hacking
New TA886 group targets companies with custom Screenshotter malware

The TA886 hacking group targets organizations in the United States and Germany with new spyware tracked as Screenshotter. A recently discovered threat actor, tracked as TA886 by security firm Proofpoint, is targeting organizations in the United States and Germany with new malware dubbed Screenshotter. The experts first spotted the attacks attributed to this threat actor […]

Security Affairs