Connect with us

Hi, what are you looking for?


Malware & Threats

Backdoor Abuses TeamViewer to Spy on Victims

A recently spotted backdoor Trojan abuses the legitimate TeamViewer remote access tool to spy on victims, Doctor Web security researchers warn.

A recently spotted backdoor Trojan abuses the legitimate TeamViewer remote access tool to spy on victims, Doctor Web security researchers warn.

Malware that leverages the popular remote control utility for nefarious purposes isn’t unheard of, but it seems that cybercriminals are constantly searching for new ways to abuse it. Dubbed BackDoor.TeamViewerENT.1 and distributed under the name Spy-Agent, the Trojan installs legitimate TeamViewer components on the compromised machines to spy on its victims.

According to Doctor Web, the actors behind this piece of malware have been developing it since 2011, and have been regularly releasing modified versions. The security researchers also explain that the Trojan’s system management interface is called Spy-Agent, the same as the malicious program itself.

TeamViewerENT.1 is a multi-component Trojan, the same as BackDoor.TeamViewer.49, a piece of malware spotted in May this year. However, unlike the previously observed threat, the new malicious program doesn’t use TeamViewer merely for uploading a malicious library in memory, but abuses it to perform spying operations.

The malware’s main payload is placed into the avicap32.dll library, which is necessary for TeamViewer to operate. The library is stored in the same folder with the original executable, which ensures that it is loaded immediately. In this scenario, malware authors abuse a Windows function where, when a program needs a dynamic library, the system first searches for it in the folder the software was launched from, and only after that in the Windows system directory (the standard avicap32.dll library is usually stored in the system folder).

After launch, TeamViewerENT.1 performs a series of rather standard operations onto the infected computer to hide its presence: it disables error messaging for the TeamViewer process and changes the attributes of its files and the TeamViewer files to “system”, “hidden”, and “read only”. It also starts intercepting calls for TeamViewer functions and calls for several system functions, and kills the TeamViewer process if the Windows Task Manager or Process Explorer are detected.

Should there be TeamViewer files or components that are missing, the Trojan downloads them from the command and control (C&C) server, thus ensuring that the remote control app can operate normally.

Advertisement. Scroll to continue reading.

The backdoor includes support for various commands, such as restart or turn off the computer, relaunch or remove TeamViewer, start/stop listening through the microphone, identify the web camera, start/stop viewing via the web camera, download and save a file to a temporary folder and run it, and update a configuration file and the backdoor’s executable file, as well as connect to the specified remote server, run cmd.exe and execute input/output redirection to a remote server, researchers say.

These commands allow cybercriminals to spy on their victims in numerous ways, as well as to steal their personal information. Furthermore, the malware can be used to install malicious programs, and Doctor Web researchers say that it has been used to distribute threats belonging to the Trojan.Keylogger and Trojan.PWS.Stealer families.

During their investigation, the security researchers observed that the Trojan’s operators switched targets at different times. According to them, in July, the Trojan was targeting users in Europe, particularly in Great Britain and Spain, but it shifted focus to the USA in August. However, numerous cases where the Trojan targeted users in Russia were also observed.

Related: Shade Ransomware Updated With Backdoor Capabilities

Related: OS X Backdoor Provides Unfettered Access to Mac Systems 

Related: Fysbis Backdoor Preferred by Pawn Storm Group to Target Linux

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.