Researchers at Check Point Technologies detected a new spearfishing campaign aimed against officials within government finance authorities and representatives in several embassies in Europe run by Italy, Nepal, Kenya, Liberia, Lebanon, Guyana, and Bermuda. In the attacks hackers are using a trojanized version of the popular remote access and desktop sharing tool TeamViewer to gain access to the infected computer.
The attack starts with the phishing email masquerading as a “Top Secret” document from the United States. In order to trick victims into believing that the email is legitimate it contains the subject line "Military Financing Program" and a logo from the US Department of State. But in reality the email sent to potential victims is laced with the malicious Microsoft Excel files.
If a victim downloads and opens the attachment they are asked to enable macros. Activation triggers the download and extraction on the computer of two files - a legitimate AutoHotkeyU32.exe program and a malicious TeamViewer DLL. The first one sends a POST request to the attacker's command-and-control (C&C) server and downloads additional AHK scripts capable of taking screenshots of the victim’s PC, as well as stealing information from the device.
The other file is malicious TeamViewer DLL (TV.DLL), which is loaded via the DLL side-loading technique, and adds additional functionality, including the ability to conceal the interface of TeamViewer from the victim, to save the current TeamViewer session credentials to a text file, and to transfer and execute additional EXE or DLL files.
According to the researchers, they have found the evidence that the threat actors behind this campaign, or at least the developer of the tools leveraged in the attacks are being Russian or at least russian-speaking due to the link of an avatar connected to a Russian underground forum user known as EvaPiks.
The campaign is ongoing, so the hackers’ goal is unclear at the moment, however, "the activity history of the developer behind the attack in underground carding forums and the victim’s characteristics may imply that the attacker is financially motivated", concluded the researchers.