Security Alert: TeamSpy Malware Spammers Use TeamViewer As Spying Tool

A new spam campaign emerged over the weekend, carrying the TeamSpy data-stealing malware, which can give cybercriminals full access to a compromised computer.

The last time that TeamSpy made the news was in 2013, when a nearly 10 years long cyber espionage operation was uncovered. The report from 3 years ago mentions that:

It seems that the main objective of the attackers was information gathering from the infected computers. Many of the victims appear to be ordinary users, but some of the victims are high-profile industrial, research, or diplomatic targets, including the case that triggered our investigation. As part of the attackers’ activities is based on misusing the TeamViewer remote access tool, we named the entire malicious toolkit TeamSpy.

How TeamSpy compromises the targeted computers

First of all, we have to mention that TeamViewer has not been compromised and is entirely safe to use, just as it was in 2016, when attackers leveraged reused passwords to plunder bank and Paypal accounts.

This current attack relies on social engineering and careless use to trick victims into installing the TeamSpy malware. The malicious technique used is DLL hijacking, which tricks a legitimate software program to perform unauthorized actions.

In this case, the online criminals seek to gain complete control of the infected PC and gather confidential information from it, without raising suspicion that the computer is exposed.

Here’s how the attack unfolds:

First, the victim receives a spam email with the following contents:

From: [spoofed / Forged return address]

Subject line: eFax message from “1408581 **”

Attached:

Fax_02755665224.zip -> Fax_02755665224.EXE

The attached file is a zip file, which, when opened, triggers the accompanying .exe file to be activated. This causes for the malicious TeamSpy code to be dropped onto the victim’s computer, as a malicious DLL:

[% APPDATA%] \ SysplanNT ​​\ MSIMG32.dll. That library then recorded via C: \ Windows \ system32 \ regsvr32. exe “/ s” [% APPDATA%] \ SysplanNT ​​\ MSIMG32.dll

Derudober dropped:

C: \ DOCUME ~ 1 \ [user account] \ LOCALS ~ 1 \ Temp \ IXP000.TMP \ 324.bat
C: \ DOCUME ~ 1 \ [user account] \ LOCALS ~ 1 \ Temp \ IXP000.TMP \ 324.exe

Information nugget: What is a DLL?

TeamSpy also performs the following actions during the infection process:

cmd.exe / c 324.bat

Ping.exe ping -n 2 google.com

Find.exe Find / I “TTL =”

Taskkill.exe taskkill / f / im svnhost.exe

Taskkill.exe taskkill / f / im update_w32.exe

Taskkill.exe taskkill / f / im tv_w32.exe

Taskkill.exe taskkill / f / im tv_x64.exe

324.exe / very silent / Password = 4657543876543

324.tmp /SL5=”$401AE,4407577,278528,%TEMP%\IXP000.TMP\324.exe “/ very silent / Password = 4657543876543

update_w32.exe

-> Svpn.exe install% APPDATA% \ SysplanNT ​​\ TeamViewerVPN.inf ​​teamviewervpn

svpn.exe restart teamviewervpn

The above translates into the fact that the TeamSpy malware includes various components in the otherwise legitimate TeamViewer application. A keylogger and a TeamViewer VPN are two of these components.

At the same time, logs are copied to the “Log% s #%. 3u.txt” while simultaneously adding all available user names and passwords to the same file. This file is then sent continuously to the following C & C server (sanitized for your protection):

http: // sleekworkz [.] com / tv / getinfo.php (VirusTotal detection: 4/64)

Additional components, including TeamViewer, are then dropped to:

% System Drive% \ Users \ ElCfwlz \ AppData \ Roaming \ SysplanNT ​​\ addons.bac
% System Drive% \ Users \ ElCfwlz \ AppData \ Roaming \ SysplanNT ​​\ msimg32.dll
% System Drive% \ Users \ ElCfwlz \ AppData \ Roaming \ SysplanNT ​​\ TeamViewer_Desktop.exe
% System Drive% \ Users \ ElCfwlz \ AppData \ Roaming \ SysplanNT ​​\ TeamViewer_Resource_en.dll
% System Drive% \ Users \ ElCfwlz \ AppData \ Roaming \ SysplanNT ​​\ TeamViewer_StaticRes.dll
% System Drive% \ Users \ ElCfwlz \ AppData \ Roaming \ SysplanNT ​​\ tv_w32.dll
% System Drive% \ Users \ ElCfwlz \ AppData \ Roaming \ SysplanNT ​​\ tv_w32.exe
% System Drive% \ Users \ ElCfwlz \ AppData \ Roaming \ SysplanNT ​​\ tv_x64.dll
% System Drive% \ Users \ ElCfwlz \ AppData \ Roaming \ SysplanNT ​​\ tv_x64.exe
% System Drive% \ Users \ ElCfwlz \ AppData \ Roaming \ SysplanNT ​​\ tvr.cfg
% System Drive% \ Users \ ElCfwlz \ AppData \ Roaming \ SysplanNT ​​\ update_w32.exe
% System Drive% \ Users \ ElCfwlz \ AppData \ Roaming \ SysplanNT ​​\ vpn64.cab
% System Drive% \ Users \ ElCfwlz \ AppData \ Roaming \ SysplanNT ​​\ vpn86.cab

Given how the TeamSpy infection happens, it is clear that a TeamViewer session started by the attackers will be invisible to the victim. This can lead to numerous forms of abuse against the services that the logged in user runs on his/her computer.

This attack can also circumvent two-factor authentication and can also give cybercriminals access to encrypted content which is unencrypted by the users on their compromised computers.

The TeamSpy payload has a detection rate of 8/58 on VirusTotal at the moment:

We highly recommend that you carefully analyze unwanted emails that you receive and that you don’t download email attachments from unknown senders. Malware can disguise itself in many forms on the web, and all it takes is one click to trigger an infection.

*This article features cyber intelligence provided by CSIS Security Group researchers.