Pierluigi Paganini
February 20, 2017
Security experts from Heimdal Security have uncovered a new spam campaign emerged over the weekend. The crooks used the notorious TeamSpy malware to gain full access to the target computers.
It’s a long time we have no news about the TeamSpy malware, it made the headlines in 2013 when security researchers at Hungary-based CrySyS Lab discovered a decade-long cyber espionage campaign that targeted high-level political and industrial entities in Eastern Europe.
The attackers, dubbed by security researchers TeamSpy, used the popular remote-access program TeamViewer and a specially crafted malware to steal secret documents and encryption keys from victims.
Back to the present, the last wave of attacks exploited social engineering attacks to trick victims into installing the TeamSpy malware.
Malware authors used DLL hijacking to execute unauthorized actions through legitimate software.
The attach chain starts with spam email using the .zip file attachments such as:
Fax_02755665224.zip -> Fax_02755665224.EXE
When the victim opens the zip archive it executes the accompanying .exe file which drops the TeamSpy malware onto the victim’s computer, as a malicious DLL:
[% APPDATA%] \ SysplanNT \ MSIMG32.dll. That library then recorded via C: \ Windows \ system32 \ regsvr32. exe “/ s” [% APPDATA%] \ SysplanNT \ MSIMG32.dll
According to the researchers, the TeamSpy malware includes various components in the otherwise legitimate TeamViewer application, two of them are keylogger and a TeamViewer VPN.
The attacks discovered by Heimdal security are very insidious for victims that will be not able to detect them.
“Given how the TeamSpy infection happens, it is clear that a TeamViewer session started by the attackers will be invisible to the victim. This can lead to numerous forms of abuse against the services that the logged in user runs on his/her computer.” states the analysis shared by Heimdal Security.
“This attack can also circumvent two-factor authentication and can also give cybercriminals access to encrypted content which is unencrypted by the users on their compromised computers.”
At the time I was writing the majority of Antivirus software is not able to detect this variant of the TeamSpy malware, it has a detection rate of 15/58 on VirusTotal.
As usual, let me suggest to avoid opening unwanted emails that you receive and that you don’t open email attachments from unknown senders.
“We highly recommend that you carefully analyze unwanted emails that you receive and that you don’t download email attachments from unknown senders. Malware can disguise itself in many forms on the web, and all it takes is one click to trigger an infection.” concluded the analysis.
I was contacted by a TeamViewer spokesman that confirmed me the absence of a flaw in the company software
“The outlined scenario is a post-exploitation action; so, the preceding malware infection is the real threat.We have no evidence to assume a vulnerability of our software. In fact, it is worth highlighting as Heimdal’s Security Evangelist, Andra Zaharia, stresses in her blog post: “[W]e have to mention that TeamViewer has not been compromised and is entirely safe to use […] ” said the spokesman.
Below the standard recommendations to avoid the infection:
[adrotate banner=”9″]
(Security Affairs – cyber espionage, Teamspy malware)
