Show vulnerabilities with patch / with exploit
24 April 2019

Russian hackers are using weaponized TeamViewer in attacks on embassies around the world


Russian hackers are using weaponized TeamViewer in attacks on embassies around the world

Researchers at Check Point Technologies detected a new spearfishing campaign aimed against officials within government finance authorities and representatives in several embassies in Europe run by Italy, Nepal, Kenya, Liberia, Lebanon, Guyana, and Bermuda. In the attacks hackers are using a trojanized version of the popular remote access and desktop sharing tool TeamViewer to gain access to the infected computer.

The attack starts with the phishing email masquerading as a “Top Secret” document from the United States. In order to trick victims into believing that the email is legitimate it contains the subject line "Military Financing Program" and a logo from the US Department of State. But in reality the email sent to potential victims is laced with the malicious Microsoft Excel files.

If a victim downloads and opens the attachment they are asked to enable macros. Activation triggers the download and extraction on the computer of two files - a legitimate AutoHotkeyU32.exe program and a malicious TeamViewer DLL. The first one sends a POST request to the attacker's command-and-control (C&C) server and downloads additional AHK scripts capable of taking screenshots of the victim’s PC, as well as stealing information from the device.

The other file is malicious TeamViewer DLL (TV.DLL), which is loaded via the DLL side-loading technique, and adds additional functionality, including the ability to conceal the interface of TeamViewer from the victim, to save the current TeamViewer session credentials to a text file, and to transfer and execute additional EXE or DLL files.

According to the researchers, they have found the evidence that the threat actors behind this campaign, or at least the developer of the tools leveraged in the attacks are being Russian or at least russian-speaking due to the link of an avatar connected to a Russian underground forum user known as EvaPiks.

The campaign is ongoing, so the hackers’ goal is unclear at the moment, however, "the activity history of the developer behind the attack in underground carding forums and the victim’s characteristics may imply that the attacker is financially motivated", concluded the researchers.

Indicators of Compromise (IOCs)

DLL files

013e87b874477fcad54ada4fa0a274a2
799AB035023B655506C0D565996579B5
e1167cb7f3735d4edec5f7219cea64ef
6cc0218d2b93a243721b088f177d8e8f
aad0d93a570e6230f843dcdf20041e1e
1e741ebc08af09edc69f017e170b9852
c6ae889f3bee42cc19a728ba66fa3d99
1675cdec4c0ff49993a1fcbdfad85e56
72de32fa52cc2fab2b0584c26657820f
44038b936667f6ce2333af80086f877f

Documents

4acf624ad87609d476180ecc4c96c355
4dbe9dbfb53438d9ce410535355cd973

C&C servers

1c-ru[.]net/check/license
intersys32[.]com/3307/
146.0.72[.]180/3307/
146.0.72[.]180/newcpanel_gate/gate.php
185.70.186[.]145/gate.php
185.70.186[.]145/index.php
193.109.69[.]5/3307/gate.php
193.109.69[.]5/9125/gate.php


Back to the list

Latest Posts

Updated ComRAT malware uses Gmail web UI to receive commands and exfiltrate data

Updated ComRAT malware uses Gmail web UI to receive commands and exfiltrate data

The ComRAT v4 malware includes two new features, such as the ability to exfiltrate antivirus logs and the ability to control the malware using a Gmail inbox.
26 May 2020
25 million Mathway user records leak online

25 million Mathway user records leak online

Since the start of this month, ShinyHunters has been offering access to databases containing millions user records obtained from hacks of various companies.
26 May 2020
Hackers put up for sale SQL databases stolen from online shops

Hackers put up for sale SQL databases stolen from online shops

More than half of hacked databases are from online shops in Germany, others are from Brazil, the U.S., Italy, India, Spain, and Belarus.
26 May 2020
Featured vulnerabilities
Stored cross-site scripting in Composr CMS
Low Not Patched | 26 May, 2020
Denial of service in GoldWave
Medium Not Patched | 26 May, 2020
OS Command Injection in Online Discussion Forum Site
Medium Not Patched | 26 May, 2020