Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Mitigating TeamSpy Cyber-espionage Attacks

A decade is a long time to escape detection, but that is roughly how long the TeamSpy attack may have gone on unseen.

A decade is a long time to escape detection, but that is roughly how long the TeamSpy attack may have gone on unseen.

For years, the TeamSpy Crew – so-named due to their abuse of the TeamViewer tool to remotely control computers – targeted high-level political and human rights activists throughout Eastern Europe and the Commonwealth of Independent States (CIS). After compromising a system, the attackers moved to steal a variety of information ranging from documents to detailed BIOS information. However the success of the attack can be mitigated by taking several steps.

“The exploit set used in the watering holes delivered with the Eleonore exploit kit were not zero-days, so patching could have prevented many of these successful intrusions,” said Kurt Baumgartner, senior security researcher at Kaspersky Lab.

In particular, the crew used two old vulnerabilities – CVE-2010-0188 (Adobe Reader and Acrobat) and CVE-2012-0507 (Oracle Java). Both these vulnerabilities have been patched by the products’ respective vendors.

As part of their scheme, the TeamSpy crew relied on watering hole attacks and exploit kits targeting the vulnerabilities to infect users.

“Our investigation of the team’s infrastructure centers around two domains used for command-and-control: ‘politnews.org’ and ‘bannetwork.org’,” according to an analysis of the attack by Kaspersky Lab. “But clearly, the strategy guiding this team is to pull off multiple ‘watering hole’ attacks, and sometimes pollute ad networks, inefficiently blanketing the region they are most interested in with malvertizing and redirections to their malicious sites. These two servers have been heavily used over years of attack campaigns, with more recent servers receiving tens if not hundreds of hits in the past week.”

Another potential safeguard against the attack is to block access to known command-and-control domains and IP addresses, which can be found in both the Kaspersky Lab paper and a paper by CrySyS (PDF) Lab at Budapest University of Technology and Economics. According to researchers, an examination of the command-and-control infrastructure shows that at least one of the domain names was registered back in 2004.

Organizations should also identify and investigate any machines with presence of the teamviewer.exe application, advised Satnam Narang, security response manager at Symantec.

Advertisement. Scroll to continue reading.

“Since Teamviewer is normally used in a wide range of conditions, it is not normally detected by security software with default settings,” Kaspersky’s researchers noted in their analysis. “In addition, the modules are validated with digital signatures, once again, making them “trustworthy” to a range of whitelisting software.”

“The complexity of the operation is fair because it was sustained and pretty well coordinated – the watering holes and their content took time to create and connect with interesting compromises over the course of years of operation,” said Baumgartner. “Also, there are aspects of the operation similar to Red October, although there are no direct links at the moment. Compared to Red October on a technical level, the TeamSpy crew and their toolset is far less complex and far less professionally done.”

“[TeamSpy] uses a tampered Windows DLL, containing various utilities in conjunction with TeamViewer functionality, to spy on the hacker’s targets,” Annett Wawczyniak, a technical support manager from TeamView Gmbh told SecurityWeek“The infection does not happen through TeamViewer but by unsecure sources like, e.g. email attachments, downloads or vulnerabilities in other software.”

“The malware misuses a number of utilities via their tampered Windows DLL to collect Windows system information and code that communicates to webservers of an attacker and takes commands from it,” Wawczyniak added. “This way the toolkit modifies and misuses TeamViewer functionality.”

“An indication of this infection is a file named avicap32.dll that is located outside the Windows system directory. To prevent an infection we recommend antivirus software with most recent definitions as well as current system updates,” Wawczyniak said.

Additional reporting by Mike Lennon

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.