Researchers at Check Point Technologies detected a new spearfishing campaign aimed against officials within government finance authorities and representatives in several embassies in Europe run by Italy, Nepal, Kenya, Liberia, Lebanon, Guyana, and Bermuda. In the attacks hackers are using a trojanized version of the popular remote access and desktop sharing tool TeamViewer to gain access to the infected computer.

The attack starts with the phishing email masquerading as a “Top Secret” document from the United States. In order to trick victims into believing that the email is legitimate it contains the subject line "Military Financing Program" and a logo from the US Department of State. But in reality the email sent to potential victims is laced with the malicious Microsoft Excel files.

If a victim downloads and opens the attachment they are asked to enable macros. Activation triggers the download and extraction on the computer of two files - a legitimate AutoHotkeyU32.exe program and a malicious TeamViewer DLL. The first one sends a POST request to the attacker's command-and-control (C&C) server and downloads additional AHK scripts capable of taking screenshots of the victim’s PC, as well as stealing information from the device.

The other file is malicious TeamViewer DLL (TV.DLL), which is loaded via the DLL side-loading technique, and adds additional functionality, including the ability to conceal the interface of TeamViewer from the victim, to save the current TeamViewer session credentials to a text file, and to transfer and execute additional EXE or DLL files.

According to the researchers, they have found the evidence that the threat actors behind this campaign, or at least the developer of the tools leveraged in the attacks are being Russian or at least russian-speaking due to the link of an avatar connected to a Russian underground forum user known as EvaPiks.

The campaign is ongoing, so the hackers’ goal is unclear at the moment, however, "the activity history of the developer behind the attack in underground carding forums and the victim’s characteristics may imply that the attacker is financially motivated", concluded the researchers.

DLL files

013e87b874477fcad54ada4fa0a274a2
799AB035023B655506C0D565996579B5
e1167cb7f3735d4edec5f7219cea64ef
6cc0218d2b93a243721b088f177d8e8f
aad0d93a570e6230f843dcdf20041e1e
1e741ebc08af09edc69f017e170b9852
c6ae889f3bee42cc19a728ba66fa3d99
1675cdec4c0ff49993a1fcbdfad85e56
72de32fa52cc2fab2b0584c26657820f
44038b936667f6ce2333af80086f877f

Documents

4acf624ad87609d476180ecc4c96c355
4dbe9dbfb53438d9ce410535355cd973

C&C servers

1c-ru[.]net/check/license
intersys32[.]com/3307/
146.0.72[.]180/3307/
146.0.72[.]180/newcpanel_gate/gate.php
185.70.186[.]145/gate.php
185.70.186[.]145/index.php
193.109.69[.]5/3307/gate.php
193.109.69[.]5/9125/gate.php