Trojanized TeamViewer used in government, embassy attacks across Europe
A new, targeted attack weaponizing TeamViewer has been uncovered which focuses on stealing financial information belonging to governmental and financial targets across Europe and beyond.
Researchers from Check Point said on Monday that the campaign is specifically targeting officials in government finance capacities and embassy representatives in Europe, alongside Nepal, Kenya, Liberia, Lebanon, Guyana, and Bermuda.
The infection vector begins with a typical phishing email containing a malicious attachment claiming to be a “Top Secret” document from the United States.
The email sent to potential victims contains the subject line “Military Financing Program” and the .XLSM document attached to the message has been crafted with a logo from the US Department of State in a bid to appear legitimate.
If a target downloads and opens the attachment, they are asked to enable macros — a very common method employed by attackers to gain access to a victim system. Should they do so, two files are extracted — a legitimate AutoHotkeyU32.exe program and a malicious TeamViewer DLL.
The AutoHotkeyU32 program is used to send a POST request to the attacker’s command-and-control (C2) server, as well as download AHK scripts able to take a screenshot of the target PC and steal computer information which is then sent to the C2.
TeamViewer is legitimate software often used in the enterprise to retain remote access to PCs and to share desktops. However, given its abilities, the software is also unfortunately used by both cyberattackers and scammers at large to gain fraudulent access to systems.
In this case, the software has been weaponized. The malicious variant is executed via DLL side-loading and contains modified functionality including hiding the TeamViewer interface — so victims do not know that the software is running — the ability to save TeamViewer session credentials to a text file and both the transfer and execution of additional .EXE and .DLL files.
This opens up victim systems to data theft, covert surveillance, and potentially the compromise of online accounts. As the government entities targeted were often based in finance, this suggests the threat actors are financially rather than potentially politically motivated.
The campaign’s major targets are public financial sector players and the scheme has been linked to past attacks believed to be the work of the same threat group.
All examples implemented a trojanized version of TeamViewer but the initial attack vector has changed. In 2018, for example, self-extracting archives were used rather than AutoHotKey-enabled malicious documents. Decoy images, including content which was stolen from Kazakhstan’s Ministry of Foreign Affairs and adapted, were in use. Evidence from past campaigns also suggests that Russian speakers were being targeted.
In addition, the malicious TeamViewer DLL has been adapted over time, switching from basic information theft to the more modern C2 infrastructure.
TechRepublic: The 5 most hacked passwords
The researchers say that there is evidence of the threat actor behind the campaign as being Russian, due to the link of an avatar connected to a Russian underground forum user known as EvaPiks.
It is believed the threat actor is, at the least, the developer of the tools used in the campaign and the history of the hacker in question points to underground carding — the exploitation and exchange of stolen financial information, such as credit card data.
According to the US Department of Justice (DoJ), carding has evolved in recent years (.PDF) to facilitate not only financial fraud but also to fund terrorism and drug trafficking.