24 April 2019

Russian hackers are using weaponized TeamViewer in attacks on embassies around the world

Russian hackers are using weaponized TeamViewer in attacks on embassies around the world

Researchers at Check Point Technologies detected a new spearfishing campaign aimed against officials within government finance authorities and representatives in several embassies in Europe run by Italy, Nepal, Kenya, Liberia, Lebanon, Guyana, and Bermuda. In the attacks hackers are using a trojanized version of the popular remote access and desktop sharing tool TeamViewer to gain access to the infected computer.

The attack starts with the phishing email masquerading as a “Top Secret” document from the United States. In order to trick victims into believing that the email is legitimate it contains the subject line "Military Financing Program" and a logo from the US Department of State. But in reality the email sent to potential victims is laced with the malicious Microsoft Excel files.

If a victim downloads and opens the attachment they are asked to enable macros. Activation triggers the download and extraction on the computer of two files - a legitimate AutoHotkeyU32.exe program and a malicious TeamViewer DLL. The first one sends a POST request to the attacker's command-and-control (C&C) server and downloads additional AHK scripts capable of taking screenshots of the victim’s PC, as well as stealing information from the device.

The other file is malicious TeamViewer DLL (TV.DLL), which is loaded via the DLL side-loading technique, and adds additional functionality, including the ability to conceal the interface of TeamViewer from the victim, to save the current TeamViewer session credentials to a text file, and to transfer and execute additional EXE or DLL files.

According to the researchers, they have found the evidence that the threat actors behind this campaign, or at least the developer of the tools leveraged in the attacks are being Russian or at least russian-speaking due to the link of an avatar connected to a Russian underground forum user known as EvaPiks.

The campaign is ongoing, so the hackers’ goal is unclear at the moment, however, "the activity history of the developer behind the attack in underground carding forums and the victim’s characteristics may imply that the attacker is financially motivated", concluded the researchers.

Indicators of Compromise (IOCs)

DLL files

013e87b874477fcad54ada4fa0a274a2
799AB035023B655506C0D565996579B5
e1167cb7f3735d4edec5f7219cea64ef
6cc0218d2b93a243721b088f177d8e8f
aad0d93a570e6230f843dcdf20041e1e
1e741ebc08af09edc69f017e170b9852
c6ae889f3bee42cc19a728ba66fa3d99
1675cdec4c0ff49993a1fcbdfad85e56
72de32fa52cc2fab2b0584c26657820f
44038b936667f6ce2333af80086f877f

Documents

4acf624ad87609d476180ecc4c96c355
4dbe9dbfb53438d9ce410535355cd973

C&C servers

1c-ru[.]net/check/license
intersys32[.]com/3307/
146.0.72[.]180/3307/
146.0.72[.]180/newcpanel_gate/gate.php
185.70.186[.]145/gate.php
185.70.186[.]145/index.php
193.109.69[.]5/3307/gate.php
193.109.69[.]5/9125/gate.php


Back to the list

Latest Posts

Ke3chang APT targets diplomatic missions in Slovakia and South America with new Okrum malware

Ke3chang APT targets diplomatic missions in Slovakia and South America with new Okrum malware

Okrum’ functionality includes only basic backdoor commands, such as downloading and uploading files, executing files and shell commands.
19 July 2019
StrongPity APT deploys malicious versions of WinBox and WinRAR in ongoing attacks

StrongPity APT deploys malicious versions of WinBox and WinRAR in ongoing attacks

StrongPity group has come up with new malware, which is now targeting users located in Turkey.
18 July 2019
“Agent Smith” malware infected more than 25 million Android devices

“Agent Smith” malware infected more than 25 million Android devices

The malware leverages known Android exploits and automatically replaces installed apps with malicious clones without users’ knowledge or interaction.
15 July 2019
Featured vulnerabilities
Cross-site scripting in FortiNAC webUI
Low Patched | 19 Jul, 2019
Multiple vulnerabilities in Cybozu Garoon
Medium Patched | 18 Jul, 2019
Security restrictions bypass in Drupal
High Patched | 18 Jul, 2019