Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Backdoor Abuses TeamViewer to Spy on Victims

A recently spotted backdoor Trojan abuses the legitimate TeamViewer remote access tool to spy on victims, Doctor Web security researchers warn.

A recently spotted backdoor Trojan abuses the legitimate TeamViewer remote access tool to spy on victims, Doctor Web security researchers warn.

Malware that leverages the popular remote control utility for nefarious purposes isn’t unheard of, but it seems that cybercriminals are constantly searching for new ways to abuse it. Dubbed BackDoor.TeamViewerENT.1 and distributed under the name Spy-Agent, the Trojan installs legitimate TeamViewer components on the compromised machines to spy on its victims.

According to Doctor Web, the actors behind this piece of malware have been developing it since 2011, and have been regularly releasing modified versions. The security researchers also explain that the Trojan’s system management interface is called Spy-Agent, the same as the malicious program itself.

TeamViewerENT.1 is a multi-component Trojan, the same as BackDoor.TeamViewer.49, a piece of malware spotted in May this year. However, unlike the previously observed threat, the new malicious program doesn’t use TeamViewer merely for uploading a malicious library in memory, but abuses it to perform spying operations.

The malware’s main payload is placed into the avicap32.dll library, which is necessary for TeamViewer to operate. The library is stored in the same folder with the original executable, which ensures that it is loaded immediately. In this scenario, malware authors abuse a Windows function where, when a program needs a dynamic library, the system first searches for it in the folder the software was launched from, and only after that in the Windows system directory (the standard avicap32.dll library is usually stored in the system folder).

After launch, TeamViewerENT.1 performs a series of rather standard operations onto the infected computer to hide its presence: it disables error messaging for the TeamViewer process and changes the attributes of its files and the TeamViewer files to “system”, “hidden”, and “read only”. It also starts intercepting calls for TeamViewer functions and calls for several system functions, and kills the TeamViewer process if the Windows Task Manager or Process Explorer are detected.

Should there be TeamViewer files or components that are missing, the Trojan downloads them from the command and control (C&C) server, thus ensuring that the remote control app can operate normally.

The backdoor includes support for various commands, such as restart or turn off the computer, relaunch or remove TeamViewer, start/stop listening through the microphone, identify the web camera, start/stop viewing via the web camera, download and save a file to a temporary folder and run it, and update a configuration file and the backdoor’s executable file, as well as connect to the specified remote server, run cmd.exe and execute input/output redirection to a remote server, researchers say.

These commands allow cybercriminals to spy on their victims in numerous ways, as well as to steal their personal information. Furthermore, the malware can be used to install malicious programs, and Doctor Web researchers say that it has been used to distribute threats belonging to the Trojan.Keylogger and Trojan.PWS.Stealer families.

During their investigation, the security researchers observed that the Trojan’s operators switched targets at different times. According to them, in July, the Trojan was targeting users in Europe, particularly in Great Britain and Spain, but it shifted focus to the USA in August. However, numerous cases where the Trojan targeted users in Russia were also observed.

Related: Shade Ransomware Updated With Backdoor Capabilities

Related: OS X Backdoor Provides Unfettered Access to Mac Systems 

Related: Fysbis Backdoor Preferred by Pawn Storm Group to Target Linux

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.


Security researchers with Juniper Networks’ Threat Labs warn of a new Python-based backdoor targeting VMware ESXi virtualization servers.