A recently spotted backdoor Trojan abuses the legitimate TeamViewer remote access tool to spy on victims, Doctor Web security researchers warn.
Malware that leverages the popular remote control utility for nefarious purposes isn’t unheard of, but it seems that cybercriminals are constantly searching for new ways to abuse it. Dubbed BackDoor.TeamViewerENT.1 and distributed under the name Spy-Agent, the Trojan installs legitimate TeamViewer components on the compromised machines to spy on its victims.
According to Doctor Web, the actors behind this piece of malware have been developing it since 2011, and have been regularly releasing modified versions. The security researchers also explain that the Trojan’s system management interface is called Spy-Agent, the same as the malicious program itself.
TeamViewerENT.1 is a multi-component Trojan, the same as BackDoor.TeamViewer.49, a piece of malware spotted in May this year. However, unlike the previously observed threat, the new malicious program doesn’t use TeamViewer merely for uploading a malicious library in memory, but abuses it to perform spying operations.
The malware’s main payload is placed into the avicap32.dll library, which is necessary for TeamViewer to operate. The library is stored in the same folder with the original executable, which ensures that it is loaded immediately. In this scenario, malware authors abuse a Windows function where, when a program needs a dynamic library, the system first searches for it in the folder the software was launched from, and only after that in the Windows system directory (the standard avicap32.dll library is usually stored in the system folder).
After launch, TeamViewerENT.1 performs a series of rather standard operations onto the infected computer to hide its presence: it disables error messaging for the TeamViewer process and changes the attributes of its files and the TeamViewer files to “system”, “hidden”, and “read only”. It also starts intercepting calls for TeamViewer functions and calls for several system functions, and kills the TeamViewer process if the Windows Task Manager or Process Explorer are detected.
Should there be TeamViewer files or components that are missing, the Trojan downloads them from the command and control (C&C) server, thus ensuring that the remote control app can operate normally.
The backdoor includes support for various commands, such as restart or turn off the computer, relaunch or remove TeamViewer, start/stop listening through the microphone, identify the web camera, start/stop viewing via the web camera, download and save a file to a temporary folder and run it, and update a configuration file and the backdoor’s executable file, as well as connect to the specified remote server, run cmd.exe and execute input/output redirection to a remote server, researchers say.
These commands allow cybercriminals to spy on their victims in numerous ways, as well as to steal their personal information. Furthermore, the malware can be used to install malicious programs, and Doctor Web researchers say that it has been used to distribute threats belonging to the Trojan.Keylogger and Trojan.PWS.Stealer families.
During their investigation, the security researchers observed that the Trojan’s operators switched targets at different times. According to them, in July, the Trojan was targeting users in Europe, particularly in Great Britain and Spain, but it shifted focus to the USA in August. However, numerous cases where the Trojan targeted users in Russia were also observed.
Related: Shade Ransomware Updated With Backdoor Capabilities
Related: OS X Backdoor Provides Unfettered Access to Mac Systems
Related: Fysbis Backdoor Preferred by Pawn Storm Group to Target Linux