Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Government Officials Targeted With Trojanized TeamViewer

Recently observed attacks targeting officials within government finance authorities and representatives in several embassies in Europe abuse the legitimate TeamViewer application to gain full control of victim machines.

Recently observed attacks targeting officials within government finance authorities and representatives in several embassies in Europe abuse the legitimate TeamViewer application to gain full control of victim machines.

The attack started with a malicious XLSM document with malicious macros, which is delivered as an email attachment and which masquerades as a top secret U.S. document. The document features the logo of the U.S. Department of State and is marked as Top Secret.

Once enabled, the macro extracts a legitimate AutoHotkeyU32.exe program and an AHK script that can send a request to the command and control (C&C) server and receive additional script URLs to download and execute, Check Point’s security researchers discovered.

Three AHK scripts can be downloaded as the next stage of the attack, one to take a screenshot and send it to the C&C, another to send the victim’s username and computer information, and a third to download a malicious version of TeamViewer, run it, and send the login credentials to the C&C.

A malicious DLL is side-loaded to add more functionality to TeamViewer, such as hiding the application’s interface from the user, saving the current TeamViewer session credentials to a text file, and allowing the transfer and execution of additional EXE or DLL files.

Because the attackers left the directory with the screenshots exposed, the researchers managed to identify some of the victims. These include government officials in Nepal, Guyana, Kenya, Italy, Liberia, Bermuda, and Lebanon.

“It is hard to tell if there are geopolitical motives behind this campaign by looking solely at the list of countries it was targeting, since it was not after a specific region and the victims came from different places in the world,” Check Points notes.

The threat actor has been observed leveraging a trojanized version of TeamViewer in previous attacks as well, but the features of the malicious DLL have changed and the first stage of the attack has evolved over time, the researchers say.

Advertisement. Scroll to continue reading.

The initial DLL variant featured capabilities such as remote control via TeamViewer, send and execute file, send basic system information, self-delete, and usage of a config.bin configuration file.

The second variant introduced a new C&C command system, could display a partial list of commands via the internal help command, could return a list of online services from a predefined list, and had an embedded configuration instead of a configuration file.

The third variant, which was observed in the most recent attacks, removed the command system, added a DLL execution feature, and relies on external AutoHotKey scripts for information gathering and TeamViewer credential exfiltration.

The attacks, Check Point says, appear to be the work of a Russian speaking actor who they were able to identify as the `CyberForum[.]ru` user that goes by the name “EvaPiks”. On underground forums, the user would suggest or be advised to use some of the techniques observed in the analyzed campaigns.

While the attacks appear to be well thought-out and highly targeted, some aspects were carried out with less caution, allowing the security researchers to discover the personal information and online history of the perpetrator, who appears financially motivated, given their presence on underground carding forums.

“The malicious DLL allows the attacker to send additional payloads to a compromised machine and remotely run them. Since we were not able find such a payload and know what other functionalities it introduces besides the ones provided in the DLL, the real intentions of the latest attack remain unclear,” Check Point concludes.

Related: Phishing Campaign Targets 400 Industrial Organizations

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.