Trojanized TeamViewer utilizados em ataques para roubar dados bancários

Trojanized TeamViewer utilizados em ataques para roubar dados bancários

Uma versão cavalos de Tróia, TeamViewer tem sido usado em ataques direcionados contra instituições governamentais e financeiras.

O aplicativo foi modificado de forma maliciosa para roubar informações financeiras de alvos na Europa e em todo o mundo. Entre os países visados ​​são Nepal, Quênia, Libéria, Líbano, Guyana, and Bermuda.

More about the TeamViewer-based attacks

By analyzing the entire infection chain and attack infrastructure, Verifique pesquisadores apontam were able to “track previous operations that share many characteristics with this attack’s inner workings”. The experts also detected an online avatar of a Russian speaking hacker, who seems to be in charge of the tools developed and used in this attack involving the trojanized TeamViewer.

The infection chain is initiated by a phishing email that contains a malicious attachments masqueraded a top secret document from the United States. The phishing email uses the luring subject line “Military Financing Program”, and contains an .XLSM document with a logo of the US Department of State.

Contudo, a well-trained eye with immediately notice that something is wrong with the carefully crafted document. Conforme explicado pelos pesquisadores, the criminals “seem to have overlooked some Cyrillic artifacts (such as the Workbook name) that were left in the document, and could potentially reveal more information about the source of this attack”.

relacionado: BackDoor.TeamViewer.49 Instala através de uma atualização do Flash, usos TeamViewer.

Em termos técnicos, the attack needs macros to be enables. When this is done, the files are extracted from hex encoded cells within the XLSM document:

A legitimate AutoHotkeyU32.exe program.
AutoHotkeyU32.ahk→an AHK script which sends a POST request to the C&C server and can receive additional AHK script URLs to download and execute.

The AHK scrips, three in number, are waiting for the next stage which involves the following:

hscreen.ahk: Takes a screenshot of the victim’s PC and uploads it to the C&servidor C.
hinfo.ahk: Sends the victim’s username and computer information to the C&servidor C.
htv.ahk: Downloads a malicious version of TeamViewer, executes it and sends the login credentials to the C&servidor C.

The malicious variant of the otherwise useful app is executed via DLL side-loading and contains modified functionality. It is also capable of hiding the TeamViewer interface. This way targeted users are unaware that the software is running. This leads to the ability to save TeamViewer session credentials to a text file as well as the transfer and execution of more .EXE and .DLL files.

O que isto significa? The targeted system is prone to data theft, surveillance operations, and compromise of online accounts. Contudo, due to the nature of the targets (mostly financial organizations), it appears that criminals may be entirely interested in financial data rather than political.

Milena Dimitrova

Milena Dimitrova

Um escritor inspirado e gerenciador de conteúdo que foi com SensorsTechForum desde o início. Focada na privacidade do usuário e desenvolvimento de malware, ela acredita fortemente em um mundo onde a segurança cibernética desempenha um papel central. Se o senso comum não faz sentido, ela vai estar lá para tomar notas. Essas notas podem mais tarde se transformar em artigos! Siga Milena @Milenyim

mais Posts

Me siga:

Deixe um comentário

seu endereço de e-mail não será publicado. Campos obrigatórios são marcados *

limite de tempo está esgotado. Recarregue CAPTCHA.

Compartilhar no Facebook Compartilhar
Compartilhar no Twitter chilrear
Compartilhar no Google Plus Compartilhar
Partilhar no Linkedin Compartilhar
Compartilhar no Digg Compartilhar
Compartilhar no Reddit Compartilhar
Partilhar no StumbleUpon Compartilhar