Attack Chain

1. The user unknowingly downloads and executes a malicious file, potentially delivered through a phishing email or drive-by download.
2. The Braodo stealer malware is executed on the victim’s system.
3. The malware begins capturing screenshots of the victim’s desktop using Windows APIs.
4. The screenshots are saved as .png, .jpg, or .bmp files.
5. The files are saved in the user’s TEMP directory (e.g., C:\Users\\AppData\Local\Temp\).
6. The malware may compress or encrypt the captured screenshots.
7. The malware exfiltrates the captured data to a command-and-control server.
8. The attacker gains access to sensitive information displayed on the victim’s screen, such as credentials or financial data, and uses it for malicious purposes.

Impact

Successful exploitation can lead to the theft of sensitive information, including credentials, financial data, and personally identifiable information (PII). This can result in financial loss, identity theft, and reputational damage for the victim. The Braodo stealer has been observed targeting users in the United States, indicating a broad scope of potential victims. The malware’s ability to capture screenshots allows attackers to bypass multi-factor authentication and other security measures that rely on information displayed on the screen.

Recommendation

• Enable Sysmon Event ID 11 (FileCreate) logging to monitor file creation events on endpoints (required for the Sigma rules below).
• Deploy the provided Sigma rule Detect Screen Capture Files Created in TEMP Directory to identify potential screen capture activity in temporary directories.
• Investigate any alerts generated by the Sigma rule, focusing on processes creating image files in the TEMP directory.
• Review and update endpoint security policies to prevent the execution of malware from temporary directories.
• Monitor network traffic for suspicious outbound connections from processes creating screen capture files (T1071).