Recently observed attacks targeting officials within government finance authorities and representatives in several embassies in Europe abuse the legitimate TeamViewer application to gain full control of victim machines.
The attack started with a malicious XLSM document with malicious macros, which is delivered as an email attachment and which masquerades as a top secret U.S. document. The document features the logo of the U.S. Department of State and is marked as Top Secret.
Once enabled, the macro extracts a legitimate AutoHotkeyU32.exe program and an AHK script that can send a request to the command and control (C&C) server and receive additional script URLs to download and execute, Check Point’s security researchers discovered.
Three AHK scripts can be downloaded as the next stage of the attack, one to take a screenshot and send it to the C&C, another to send the victim’s username and computer information, and a third to download a malicious version of TeamViewer, run it, and send the login credentials to the C&C.
A malicious DLL is side-loaded to add more functionality to TeamViewer, such as hiding the application’s interface from the user, saving the current TeamViewer session credentials to a text file, and allowing the transfer and execution of additional EXE or DLL files.
Because the attackers left the directory with the screenshots exposed, the researchers managed to identify some of the victims. These include government officials in Nepal, Guyana, Kenya, Italy, Liberia, Bermuda, and Lebanon.
“It is hard to tell if there are geopolitical motives behind this campaign by looking solely at the list of countries it was targeting, since it was not after a specific region and the victims came from different places in the world,” Check Points notes.
The threat actor has been observed leveraging a trojanized version of TeamViewer in previous attacks as well, but the features of the malicious DLL have changed and the first stage of the attack has evolved over time, the researchers say.
The initial DLL variant featured capabilities such as remote control via TeamViewer, send and execute file, send basic system information, self-delete, and usage of a config.bin configuration file.
The second variant introduced a new C&C command system, could display a partial list of commands via the internal help command, could return a list of online services from a predefined list, and had an embedded configuration instead of a configuration file.
The third variant, which was observed in the most recent attacks, removed the command system, added a DLL execution feature, and relies on external AutoHotKey scripts for information gathering and TeamViewer credential exfiltration.
The attacks, Check Point says, appear to be the work of a Russian speaking actor who they were able to identify as the `CyberForum[.]ru` user that goes by the name “EvaPiks”. On underground forums, the user would suggest or be advised to use some of the techniques observed in the analyzed campaigns.
While the attacks appear to be well thought-out and highly targeted, some aspects were carried out with less caution, allowing the security researchers to discover the personal information and online history of the perpetrator, who appears financially motivated, given their presence on underground carding forums.
“The malicious DLL allows the attacker to send additional payloads to a compromised machine and remotely run them. Since we were not able find such a payload and know what other functionalities it introduces besides the ones provided in the DLL, the real intentions of the latest attack remain unclear,” Check Point concludes.