Evil TeamViewer Attacks Under the Guise of the U.S. State Department

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,051
A targeted, email-borne attack against embassy officials and government finance authorities globally is making use of a malicious attachment disguised as a top-secret U.S. document. It weaponizes TeamViewer, the popular remote-access and desktop-sharing software, to gain full control of the infected computer.

While the tactics and targets are APT-like, Check Point researchers suspect that the cyberattacker behind the effort is actually financially motivated.

Social Engineering + TeamViewer

The attack starts with an email claiming to send the target information about a U.S. “Military Financing Program.” The attacked Excel file is marked “Top Secret” and purports to be from the U.S. State Department. According to Check Point, which has been following the campaign, the document is “well-crafted,” with little to tip off the recipient that anything is awry other than the fact that the attachment name is in Cyrillic.

Potential victims are prompted to enable macros, and once they do, a legitimate AutoHotkeyU32.exe program is launched, along with an AHK script, which fetches three additional AHK script URLs from the command-and-control (C2) server.

The scripts take screenshots of the victim’s PC and capture the victim’s username and computer information, sending that to the C2. The third script also downloads a malicious version of TeamViewer.

“The malicious TeamViewer DLL (TV.DLL) is loaded via the DLL side-loading technique, and is used to add more functionality to TeamViewer by hooking windows APIs called by the program,” Check Point researchers explained in a Monday posting.

These APIs hide the TeamViewer interface so that the user would not know it is running; save TeamViewer session credentials to a text file; and allow the transfer and remote execution of additional executable or DLL files.

Once the malicious TeamViewer is up and running, the adversary sets about using its remote desktop functionality to gain access to the targeted system as if he or she were a legitimate user of the computer.
 

Burrito

Level 24
Verified
Top Poster
Well-known
May 16, 2018
1,363
I'm surprised this actually works.

A pretty big giveaway is the attachment name in Cyrillic. That alone should tip off the vast majority that it is bogus.

And since it is targeting "embassy officials and government finance authorities globally" -- I would think a fair number of them would understand that Top Secret documents are never sent on the internet.

But... it's always surprising how much of this stuff works.
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,457
This was highly interesting information, and especially considering the same software was used as the entry point on the CCleaner hack 2017.
Thanks for the share @silversurfer
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top