SECURITY EVANGELIST

A new spam campaign emerged over the weekend, carrying the TeamSpy data-stealing malware, which can give cybercriminals full access to a compromised computer.

The last time that TeamSpy made the news was in 2013, when a nearly 10 years long cyber espionage operation was uncovered. The report from 3 years ago mentions that:

It seems that the main objective of the attackers was information gathering from the infected computers. Many of the victims appear to be ordinary users, but some of the victims are high profile industrial, research, or diplomatic targets, including the case that triggered our investigation. As part of the attackers’ activities is based on misusing the TeamViewer remote access tool, we named the entire malicious toolkit TeamSpy.

How TeamSpy compromises the targeted computers

First of all, we have to mention that TeamViewer has not been compromised and is entirely safe to use, just as it was in 2016, when attackers leveraged reused passwords to plunder bank and Paypal accounts.

This current attack relies on social engineering and careless use to trick victims into installing the TeamSpy malware. The malicious technique used is DLL hijacking, which tricks a legitimate software program to perform unauthorized actions.

In this case, the online criminals seek to gain complete control of the infected PC and gather confidential information from it, without raising suspicion that the computer is exposed.

Here’s how the attack unfolds:

First, the victim receives a spam email with the following contents:

From: [spoofed / Forged return address]

Subject line: eFax message from “1408581 **”

Attached:

Fax_02755665224.zip -> Fax_02755665224.EXE

The attached file is a zip file, which, when opened, triggers the accompanying .exe file to be activated. This causes for the malicious TeamSpy code to be dropped onto the victim’s computer, as a malicious DLL:

[% APPDATA%] \ SysplanNT ​​\ MSIMG32.dll. That library then recorded via C: \ Windows \ system32 \ regsvr32. exe “/ s” [% APPDATA%] \ SysplanNT ​​\ MSIMG32.dll

Derudober dropped:

C: \ DOCUME ~ 1 \ [user account] \ LOCALS ~ 1 \ Temp \ IXP000.TMP \ 324.bat
C: \ DOCUME ~ 1 \ [user account] \ LOCALS ~ 1 \ Temp \ IXP000.TMP \ 324.exe

Information nugget: What is a DLL?

TeamSpy also performs the following actions during the infection process:

cmd.exe / c 324.bat

Ping.exe ping -n 2 google.com

Find.exe Find / I “TTL =”

Taskkill.exe taskkill / f / im svnhost.exe

Taskkill.exe taskkill / f / im update_w32.exe

Taskkill.exe taskkill / f / im tv_w32.exe

Taskkill.exe taskkill / f / im tv_x64.exe

324.exe / very silent / Password = 4657543876543

324.tmp /SL5=”$401AE,4407577,278528,%TEMP%\IXP000.TMP\324.exe “/ very silent / Password = 4657543876543

update_w32.exe

-> Svpn.exe install% APPDATA% \ SysplanNT ​​\ TeamViewerVPN.inf ​​teamviewervpn

svpn.exe restart teamviewervpn

The above translates into the fact that the TeamSpy malware includes various components in the otherwise legitimate TeamViewer application. A keylogger and a TeamViewer VPN are two of these components.

At the same time, logs are copied to the “Log% s #%. 3u.txt” while simultaneously adding all available user names and passwords to the same file. This file is then sent continuously to the following C & C server (sanitized for your protection):

http: // sleekworkz [.] com / tv / getinfo.php (VirusTotal detection: 4/64)

Additional components, including TeamViewer, are then dropped to:

% System Drive% \ Users \ ElCfwlz \ AppData \ Roaming \ SysplanNT ​​\ addons.bac
% System Drive% \ Users \ ElCfwlz \ AppData \ Roaming \ SysplanNT ​​\ msimg32.dll
% System Drive% \ Users \ ElCfwlz \ AppData \ Roaming \ SysplanNT ​​\ TeamViewer_Desktop.exe
% System Drive% \ Users \ ElCfwlz \ AppData \ Roaming \ SysplanNT ​​\ TeamViewer_Resource_en.dll
% System Drive% \ Users \ ElCfwlz \ AppData \ Roaming \ SysplanNT ​​\ TeamViewer_StaticRes.dll
% System Drive% \ Users \ ElCfwlz \ AppData \ Roaming \ SysplanNT ​​\ tv_w32.dll
% System Drive% \ Users \ ElCfwlz \ AppData \ Roaming \ SysplanNT ​​\ tv_w32.exe
% System Drive% \ Users \ ElCfwlz \ AppData \ Roaming \ SysplanNT ​​\ tv_x64.dll
% System Drive% \ Users \ ElCfwlz \ AppData \ Roaming \ SysplanNT ​​\ tv_x64.exe
% System Drive% \ Users \ ElCfwlz \ AppData \ Roaming \ SysplanNT ​​\ tvr.cfg
% System Drive% \ Users \ ElCfwlz \ AppData \ Roaming \ SysplanNT ​​\ update_w32.exe
% System Drive% \ Users \ ElCfwlz \ AppData \ Roaming \ SysplanNT ​​\ vpn64.cab
% System Drive% \ Users \ ElCfwlz \ AppData \ Roaming \ SysplanNT ​​\ vpn86.cab

Given how the TeamSpy infection happens, it is clear that a TeamViewer session started by the attackers will be invisible to the victim. This can lead to numerous forms of abuse against the services that the logged in user runs on his/her computer.

This attack can also circumvent two-factor authentication and can also give cybercriminals access to encrypted content which is unencrypted by the users on their compromised computers.

The TeamSpy payload has a detection rate of 8/58 on VirusTotal at the moment:

virustotal detection rates teamspy payload

We highly recommend that you carefully analyze unwanted emails that you receive and that you don’t download email attachments from unknown senders. Malware can disguise itself in many forms on the web, and all it takes is one click to trigger an infection.

*This article features cyber intelligence provided by CSIS Security Group researchers.

Protect Your PC with Multiple Layers
2016.06.21 INTERMEDIATE READ

How to Protect Your PC with Multiple Layers of Security

Financial Data Protection
2016.04.19 INTERMEDIATE READ

15 Steps to Maximize your Financial Data Protection [Updated]

Data Security Breach steps
2015.02.16 INTERMEDIATE READ

The 10 Critical Steps to Take After a Data Security Breach

Comments

I think most users aware of the dangers on the net, but I think no understanding that this is the reality and activity that is constantly present and not something that will attach to them sometimes. So I think awareness needs to be raised to the level of understanding that is necessary to protect actively. Maybe not a bad idea to make a good poet webinar on. Tis post is very good

Is it necessary to have Teamviewer Installed on victims machine for this malware ?

Can you please mention what is that fake extension? It can also be used as an indicator.

If it was a real attached Zip file and it does contain an .exe file, you would not be subject to getting a virus unless you tried to execute the infected file. It is no accurate to affirm: “The attached file is a zip file, which, when opened, triggers the accompanying .exe file to be activated.”

In this case, we are dealing with a fake extension that cybercriminals use to disguise the executable file. Sorry if that was not clear in the alert.

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP
169 queries in 1.219 seconds