rush of cyber-attacks from a Russian speaking hacker has been recently
discovered by researchers and distinguished as one who utilizes the weaponized
TeamViewer, the most mainstream and popular device used for remote desktop
control, desktop sharing, online gatherings, web conferencing as well as record
exchange between computers, to compromise and deal with the Government network
malignant campaign ceaselessly utilizes TeamViewer by adding TeamViewer DLL in
order to deliver powerful malware that steals sensitive data and money from the
various governments with addition to the financial systems.
the whole infection chain, the tools created and utilized in this attack, the
underground activity influences the analysts to believe that the attack was led
by a financially inspired Russian speaking hacker.
underlying phase of this infection chain begins by delivering a spam email
under the subject of “Military Financing Program” with the attached
malevolent XLSM document with installed macros.
well-crafted malevolent document acted like the U.S Department of State which
is marked as “top secret” persuading the victims to open it. When the
victims open that ‘decoy document’ and empower the macro, there are two files
extricated from the hex encoded cells in the XLSM document.
one is a legitimate AutoHotkeyU32.exe program, the second one on the other hand
is an AutoHotkeyU32.ahk which is also an AHK script to communicate with C&C
server to download the additional script and execute it.
using this strategy, attackers concealing the TeamViewer interface from the
users view, sparing the current TeamViewer session credentials to a text file
and allows the exchange and execution of extra EXE o DLL documents
In light of
the Telemetry record, this attack is said to be focusing on nations including
Nepal, Guyana, Kenya, Italy, Liberia, Bermuda, Lebano public financial sector
in addition to the government officials.