• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   Unsupported TeamViewer Versions Exploited For Backdoors, Keylogging

Unsupported TeamViewer Versions Exploited For Backdoors, Keylogging

  • Posted on:June 15, 2016 at 2:55 am
  • Posted in:Malware, Spam
  • Author:
    Trend Micro
0

Users of the TeamViewer remote-access service have been complaining in recent weeks about how their systems have been hacked into, unauthorized purchases made on their cards, their bank accounts emptied. Initially it was believed that this was due to a hack into TeamViewer itself, but the company has denied this. Instead, they have blamed password re-use, especially with millions of old passwords in the wild thanks to disclosed social network breaches.

Others have speculated that malware could be in use somehow, and that may be the case. We have evidence that trojanized TeamViewer installer packages have been used in a spam campaign that resulted in attackers gaining remote access to various systems. While this particular spam campaign used an old version of TeamViewer, we can’t dismiss the possibility of other attacks using newer versions.

This spam campaign targeted users in Italy, using a variety of subject lines such as the following (English translation in parenthesis):

  • Accesso dati (Data access)
  • Il tuo ID e stato usato (Your ID was used)
  • Prova gratuita 30 giorni (Free 30-day trial)
  • Conferma dell’ordine (Order conformation)
  • Il tuo conto informazione (Your account information)
  • Finanziamento?????? (Financing)

A simple .JS (JavaScript) file was attached to these messages; when run this file downloads various files onto the system:

  • A keylogger, detected as TSPY_DRIDEX.YYSUV
  • A “Trojanized” version of TeamViewer, detected as BKDR_TEAMBOT.MNS.
  • A batch file which executed the above two items, then deletes itself

This particular Trojanized version that the malware installs is very old – version 6.0.17222.0. TeamViewer 6 was first released in December 2010 and was superseded by version 7 in November 2011. Secondly, it is installed in an unusual location: %APPDATA%\Div. (Some variants installed their copy into %APPDATA%/Addins instead.) This behavior is consistent across all the various permutations of this attack we have seen.

This version of TeamViewer was Trojanized, but not by modifying the legitimate version. Instead, it includes an additional DLL – avicap32.dll. (This malicious DLL is detected as BKDR_TEAMBOT.DLL.) In a classic case of DLL search order hijacking; the legitimate TeamViewer applications loads two functions from this DLL; the legitimate version of which is a part of Windows. However, the presence of the malicious version allows an attacker to take control of the TeamViewer application.

This particular campaign targeted users in Italy for a month, ample time to gather all of a victim’s usernames and passwords. The presence of a Trojanized TeamViewer version raises the possibility that a newer version may exist in the wild and account for some of the recent attacks.

One more thing to note is that the TeamViewer administrators may be able to limit the damage of old versions. All TeamViewer connections are initially mediated by company servers. It may be possible for connections from these unsupported versions to be disconnected at this handshake stage, preventing any malicious use from progressing. It would unfortunately also cut out any users of these old versions.

Trend Micro endpoint solutions such as Trend Micro™ Security, Smart Protection Suites, and Worry-Free™ Business Security can protect users and SMBs from this threat by detecting malicious files, and spammed messages as well as blocking all related malicious URLs. On the other hand, our Trend Micro Deep Discovery has an email inspection layer that can protect enterprises by detecting malicious attachments and URLs.

The following hashes are related to this attack:

  • 0660CADEF21D2061E776E4BCAA6AA4FB48A778BE
  • 14ABFE0FC2F84EB42177BE430AF72A291850F486
  • 1AC5E11A48AA2162C6CD175403C7BFAF497000C0
  • 3580F6974CBC30F6FC1C668EE2FEE6ED0C796B03
  • 411ED021388DA1DA572529BA5AD6073761992800
  • 47F539B76BEBE683B3ABEE001AE0605EC1ED4F25
  • 4A2A77EB7B7C323E7F68ACF91014EC135C7B020F
  • 4D68BE91DEE6291F3086F50599BBFF0DAF1B6509
  • 5D47CD2D12DC6FDD49E2C14DFBDDBA17035A27B6
  • 7CB82E53D9E803D2B5C98841E30411AD75C4866A
  • 836446903F97A38EC4720299BA9D99CBAAFB31CE
  • 8AD8A31A44FB65C6B3557F0A3AB9024B87994C0F
  • 9521E5BDFE8EE780DE04979FDB450873227D7867
  • 96C3BB27C89FC9C4ACF7AD9F89C3E06CF4F033F3
  • 98D63628220AC630DFD0FD1033914473DB1D7306
  • 9D9F80A1100914F5083DE5040B1B71C6EAD2DCF0
  • AC5F7D9312BDAE4F82615333F939F92C78995F83
  • B204D3EE95E83793EB9D3B1ACF89FB6726B6315F
  • BFE8F9FEC531CF6D8AA23BD6B3B9ED85E46003E2
  • C69A19298CAED379A1063593ACA25A0432E4D0FE
  • E841CE2EF5847A87131EA1D9CBA135ED92D68E82
  • F08BF9D0B028005090434983D78624D048CFBF42
  • F2EC9C134AE52418DC6251FA7D2EF6E4F86C39CC
Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»

Featured Stories

  • systemd Vulnerability Leads to Denial of Service on Linux
  • qkG Filecoder: Self-Replicating, Document-Encrypting Ransomware
  • Mitigating CVE-2017-5689, an Intel Management Engine Vulnerability
  • A Closer Look at North Korea’s Internet
  • From Cybercrime to Cyberpropaganda

Security Predictions for 2019

  • Our security predictions for 2019 are based on our experts’ analysis of the progress of current and emerging technologies, user behavior, and market trends, and their impact on the threat landscape. We have categorized them according to the main areas that are likely to be affected, given the sprawling nature of the technological and sociopolitical changes under consideration.
    Read our security predictions for 2019.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • (Almost) Hollow and Innocent: Monero Miner Remains Undetected via Process Hollowing
  • Waterbear is Back, Uses API Hooking to Evade Security Product Detection
  • December Patch Tuesday: Vulnerabilities in Windows components, RDP, and PowerPoint Get Fixes
  • Obfuscation Tools Found in the Capesand Exploit Kit Possibly Used in “KurdishCoder” Campaign
  • Mobile Cyberespionage Campaign Distributed Through CallerSpy Mounts Initial Phase of a Targeted Attack

Popular Posts

  • Mac Backdoor Linked to Lazarus Targets Korean Users
  • More than a Dozen Obfuscated APT33 Botnets Used for Extreme Narrow Targeting
  • New Magecart Attack Delivered Through Compromised Advertising Supply Chain
  • September Patch Tuesday Bears More Remote Desktop Vulnerability Fixes and Two Zero-Days
  • Microsoft November 2019 Patch Tuesday Reveals 74 Patches Before Major Windows Update

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.