A trojanized version of TeamViewer has been used in targeted attacks against governmental and financial institutions.
The application has been maliciously modified to steal financial information from targets in Europe and worldwide. Among the targeted countries are Nepal, Kenya, Liberia, Lebanon, Guyana, and Bermuda.
More about the TeamViewer-based attacks
By analyzing the entire infection chain and attack infrastructure, Check Point researchers were able to “track previous operations that share many characteristics with this attack’s inner workings”. The experts also detected an online avatar of a Russian speaking hacker, who seems to be in charge of the tools developed and used in this attack involving the trojanized TeamViewer.
The infection chain is initiated by a phishing email that contains a malicious attachments masqueraded a top secret document from the United States. The phishing email uses the luring subject line “Military Financing Program”, and contains an .XLSM document with a logo of the US Department of State.
However, a well-trained eye with immediately notice that something is wrong with the carefully crafted document. As explained by the researchers, the criminals “seem to have overlooked some Cyrillic artifacts (such as the Workbook name) that were left in the document, and could potentially reveal more information about the source of this attack”.
In technical terms, the attack needs macros to be enables. When this is done, the files are extracted from hex encoded cells within the XLSM document:
– A legitimate AutoHotkeyU32.exe program.
– AutoHotkeyU32.ahk→an AHK script which sends a POST request to the C&C server and can receive additional AHK script URLs to download and execute.
The AHK scrips, three in number, are waiting for the next stage which involves the following:
– hscreen.ahk: Takes a screenshot of the victim’s PC and uploads it to the C&C server.
– hinfo.ahk: Sends the victim’s username and computer information to the C&C server.
– htv.ahk: Downloads a malicious version of TeamViewer, executes it and sends the login credentials to the C&C server.
The malicious variant of the otherwise useful app is executed via DLL side-loading and contains modified functionality. It is also capable of hiding the TeamViewer interface. This way targeted users are unaware that the software is running. This leads to the ability to save TeamViewer session credentials to a text file as well as the transfer and execution of more .EXE and .DLL files.
What does this mean? The targeted system is prone to data theft, surveillance operations, and compromise of online accounts. However, due to the nature of the targets (mostly financial organizations), it appears that criminals may be entirely interested in financial data rather than political.