TeamSpy malware is back, it transforms TeamViewer into a spying software

Security experts from Heimdal Security discovered a new spam campaign over the weekend leveraging the TeamSpy malware to spy in victims.

Security experts from Heimdal Security have uncovered a new spam campaign emerged over the weekend. The crooks used the notorious TeamSpy malware to gain full access to the target computers.

It’s a long time we have no news about the TeamSpy malware, it made the headlines in 2013 when security researchers at Hungary-based CrySyS Lab discovered a decade-long cyber espionage campaign that targeted high-level political and industrial entities in Eastern Europe.

The attackers, dubbed by security researchers TeamSpy, used the popular remote-access program TeamViewer and a specially crafted malware to steal secret documents and encryption keys from victims.

Back to the present, the last wave of attacks exploited social engineering attacks to trick victims into installing the TeamSpy malware.

Malware authors used DLL hijacking to execute unauthorized actions through legitimate software.

The attach chain starts with spam email using the .zip file attachments such as:

Fax_02755665224.zip -> Fax_02755665224.EXE

When the victim opens the zip archive it executes the accompanying .exe file which drops the TeamSpy malware onto the victim’s computer, as a malicious DLL:

[% APPDATA%] \ SysplanNT \ MSIMG32.dll. That library then recorded via C: \ Windows \ system32 \ regsvr32. exe “/ s” [% APPDATA%] \ SysplanNT \ MSIMG32.dll

According to the researchers, the TeamSpy malware includes various components in the otherwise legitimate TeamViewer application, two of them are keylogger and a TeamViewer VPN.

The attacks discovered by Heimdal security are very insidious for victims that will be not able to detect them.

“Given how the TeamSpy infection happens, it is clear that a TeamViewer session started by the attackers will be invisible to the victim. This can lead to numerous forms of abuse against the services that the logged in user runs on his/her computer.” states the analysis shared by Heimdal Security.

“This attack can also circumvent two-factor authentication and can also give cybercriminals access to encrypted content which is unencrypted by the users on their compromised computers.”

At the time I was writing the majority of Antivirus software is not able to detect this variant of the TeamSpy malware, it has a detection rate of 15/58 on VirusTotal.

TeamSpy malware

As usual, let me suggest to avoid opening unwanted emails that you receive and that you don’t open email attachments from unknown senders.

“We highly recommend that you carefully analyze unwanted emails that you receive and that you don’t download email attachments from unknown senders. Malware can disguise itself in many forms on the web, and all it takes is one click to trigger an infection.” concluded the analysis.

Pierluigi Paganini

(Security Affairs – cyber espionage, Teamspy malware)

The post TeamSpy malware is back, it transforms TeamViewer into a spying software appeared first on Security Affairs.

Source: Security Affairs @ February 20, 2017 at 08:02AM

0
Share