A targeted, email-borne attack against embassy officials and government finance authorities globally is making use of a malicious attachment disguised as a top-secret U.S. document. It weaponizes TeamViewer, the popular remote-access and desktop-sharing software, to gain full control of the infected computer.
While the tactics and targets are APT-like, Check Point researchers suspect that the cyberattacker behind the effort is actually financially motivated.
Social Engineering + TeamViewer
The attack starts with an email claiming to send the target information about a U.S. “Military Financing Program.” The attacked Excel file is marked “Top Secret” and purports to be from the U.S. State Department. According to Check Point, which has been following the campaign, the document is “well-crafted,” with little to tip off the recipient that anything is awry other than the fact that the attachment name is in Cyrillic.
Potential victims are prompted to enable macros, and once they do, a legitimate AutoHotkeyU32.exe program is launched, along with an AHK script, which fetches three additional AHK script URLs from the command-and-control (C2) server.
The scripts take screenshots of the victim’s PC and capture the victim’s username and computer information, sending that to the C2. The third script also downloads a malicious version of TeamViewer.
“The malicious TeamViewer DLL (TV.DLL) is loaded via the DLL side-loading technique, and is used to add more functionality to TeamViewer by hooking windows APIs called by the program,” Check Point researchers explained in a Monday posting.
These APIs hide the TeamViewer interface so that the user would not know it is running; save TeamViewer session credentials to a text file; and allow the transfer and remote execution of additional executable or DLL files.
Once the malicious TeamViewer is up and running, the adversary sets about using its remote desktop functionality to gain access to the targeted system as if he or she were a legitimate user of the computer.