A decade is a long time to escape detection, but that is roughly how long the TeamSpy attack may have gone on unseen.
For years, the TeamSpy Crew – so-named due to their abuse of the TeamViewer tool to remotely control computers – targeted high-level political and human rights activists throughout Eastern Europe and the Commonwealth of Independent States (CIS). After compromising a system, the attackers moved to steal a variety of information ranging from documents to detailed BIOS information. However the success of the attack can be mitigated by taking several steps.
“The exploit set used in the watering holes delivered with the Eleonore exploit kit were not zero-days, so patching could have prevented many of these successful intrusions,” said Kurt Baumgartner, senior security researcher at Kaspersky Lab.
In particular, the crew used two old vulnerabilities – CVE-2010-0188 (Adobe Reader and Acrobat) and CVE-2012-0507 (Oracle Java). Both these vulnerabilities have been patched by the products’ respective vendors.
As part of their scheme, the TeamSpy crew relied on watering hole attacks and exploit kits targeting the vulnerabilities to infect users.
“Our investigation of the team’s infrastructure centers around two domains used for command-and-control: ‘politnews.org’ and ‘bannetwork.org’,” according to an analysis of the attack by Kaspersky Lab. “But clearly, the strategy guiding this team is to pull off multiple ‘watering hole’ attacks, and sometimes pollute ad networks, inefficiently blanketing the region they are most interested in with malvertizing and redirections to their malicious sites. These two servers have been heavily used over years of attack campaigns, with more recent servers receiving tens if not hundreds of hits in the past week.”
Another potential safeguard against the attack is to block access to known command-and-control domains and IP addresses, which can be found in both the Kaspersky Lab paper and a paper by CrySyS (PDF) Lab at Budapest University of Technology and Economics. According to researchers, an examination of the command-and-control infrastructure shows that at least one of the domain names was registered back in 2004.
Organizations should also identify and investigate any machines with presence of the teamviewer.exe application, advised Satnam Narang, security response manager at Symantec.
“Since Teamviewer is normally used in a wide range of conditions, it is not normally detected by security software with default settings,” Kaspersky’s researchers noted in their analysis. “In addition, the modules are validated with digital signatures, once again, making them “trustworthy” to a range of whitelisting software.”
“The complexity of the operation is fair because it was sustained and pretty well coordinated – the watering holes and their content took time to create and connect with interesting compromises over the course of years of operation,” said Baumgartner. “Also, there are aspects of the operation similar to Red October, although there are no direct links at the moment. Compared to Red October on a technical level, the TeamSpy crew and their toolset is far less complex and far less professionally done.”
“[TeamSpy] uses a tampered Windows DLL, containing various utilities in conjunction with TeamViewer functionality, to spy on the hacker’s targets,” Annett Wawczyniak, a technical support manager from TeamView Gmbh told SecurityWeek. “The infection does not happen through TeamViewer but by unsecure sources like, e.g. email attachments, downloads or vulnerabilities in other software.”
“The malware misuses a number of utilities via their tampered Windows DLL to collect Windows system information and code that communicates to webservers of an attacker and takes commands from it,” Wawczyniak added. “This way the toolkit modifies and misuses TeamViewer functionality.”
“An indication of this infection is a file named avicap32.dll that is located outside the Windows system directory. To prevent an infection we recommend antivirus software with most recent definitions as well as current system updates,” Wawczyniak said.
Additional reporting by Mike Lennon