Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Malware & Threats

Mitigating TeamSpy Cyber-espionage Attacks

A decade is a long time to escape detection, but that is roughly how long the TeamSpy attack may have gone on unseen.

A decade is a long time to escape detection, but that is roughly how long the TeamSpy attack may have gone on unseen.

For years, the TeamSpy Crew – so-named due to their abuse of the TeamViewer tool to remotely control computers – targeted high-level political and human rights activists throughout Eastern Europe and the Commonwealth of Independent States (CIS). After compromising a system, the attackers moved to steal a variety of information ranging from documents to detailed BIOS information. However the success of the attack can be mitigated by taking several steps.

“The exploit set used in the watering holes delivered with the Eleonore exploit kit were not zero-days, so patching could have prevented many of these successful intrusions,” said Kurt Baumgartner, senior security researcher at Kaspersky Lab.

In particular, the crew used two old vulnerabilities – CVE-2010-0188 (Adobe Reader and Acrobat) and CVE-2012-0507 (Oracle Java). Both these vulnerabilities have been patched by the products’ respective vendors.

As part of their scheme, the TeamSpy crew relied on watering hole attacks and exploit kits targeting the vulnerabilities to infect users.

“Our investigation of the team’s infrastructure centers around two domains used for command-and-control: ‘’ and ‘’,” according to an analysis of the attack by Kaspersky Lab. “But clearly, the strategy guiding this team is to pull off multiple ‘watering hole’ attacks, and sometimes pollute ad networks, inefficiently blanketing the region they are most interested in with malvertizing and redirections to their malicious sites. These two servers have been heavily used over years of attack campaigns, with more recent servers receiving tens if not hundreds of hits in the past week.”

Another potential safeguard against the attack is to block access to known command-and-control domains and IP addresses, which can be found in both the Kaspersky Lab paper and a paper by CrySyS (PDF) Lab at Budapest University of Technology and Economics. According to researchers, an examination of the command-and-control infrastructure shows that at least one of the domain names was registered back in 2004.

Advertisement. Scroll to continue reading.

Organizations should also identify and investigate any machines with presence of the teamviewer.exe application, advised Satnam Narang, security response manager at Symantec.

“Since Teamviewer is normally used in a wide range of conditions, it is not normally detected by security software with default settings,” Kaspersky’s researchers noted in their analysis. “In addition, the modules are validated with digital signatures, once again, making them “trustworthy” to a range of whitelisting software.”

“The complexity of the operation is fair because it was sustained and pretty well coordinated – the watering holes and their content took time to create and connect with interesting compromises over the course of years of operation,” said Baumgartner. “Also, there are aspects of the operation similar to Red October, although there are no direct links at the moment. Compared to Red October on a technical level, the TeamSpy crew and their toolset is far less complex and far less professionally done.”

“[TeamSpy] uses a tampered Windows DLL, containing various utilities in conjunction with TeamViewer functionality, to spy on the hacker’s targets,” Annett Wawczyniak, a technical support manager from TeamView Gmbh told SecurityWeek“The infection does not happen through TeamViewer but by unsecure sources like, e.g. email attachments, downloads or vulnerabilities in other software.”

“The malware misuses a number of utilities via their tampered Windows DLL to collect Windows system information and code that communicates to webservers of an attacker and takes commands from it,” Wawczyniak added. “This way the toolkit modifies and misuses TeamViewer functionality.”

“An indication of this infection is a file named avicap32.dll that is located outside the Windows system directory. To prevent an infection we recommend antivirus software with most recent definitions as well as current system updates,” Wawczyniak said.

Additional reporting by Mike Lennon

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...