Researchers noticed a new cyber attack wave of Russian speaker hackers who use the armed TeamViewer to jeopardize government network systems and gain full control over them.
Teamviewer is the best-known tool for remote desktop control, desktop sharing, online meetings, web conferencing and file transfer.
Based on the entire infection chain and the instruments designed and used for this attack, subterranean activities make the researchers believe that the attack was carried out by a financially motivated Russian-speaking hacker.
Recent malicious campaign continually uses TeamViewer to provide powerful malware that Steals sensitive data and money from diverse government and financial networks with malicious Team Viewer DLL.
Weaponized TeamViewer Infected Chain
The initial stage of the infection chain starts by sending a spam mail to the attached malicious XLSM document containing integrated macros in the “Military Financing Programme.”
As the US Department of State, it is a well-crafted malicious document that is a top secret to persuade the victims to open it.
Once the victims open the macro decoy document, the XLSM document extracts two files from the hex-encoded cells.
First is a legitimate AutoHotkeyU32.exe program, the second is an AutoHotkeyU32.ahk that is an AHK script for communicating with the C&C server and downloading and executing the additional script.
There are three malicious AHK scripts which can carry out different activities,
- hscreen.ahk: Takes a screenshot of the victim’s PC and uploads it to the C&C server.
- hinfo.ahk: send username and computer information of the victim to the C&C server.
- htv.ahk: download TeamViewer malicious version, run it and send the C&C server login credentials.
In this case, threat protagonists using the TeamViewer DLL side loading technology (htv.ahk) and this technique allows attackers to add more functionality to the TeamViewer.
Use this technique to prevent attackers from seeing the TeamViewer interface and to save current session credentials of TeamViewer to a text file, enabling them to transfer and execute additional EXE o DLL files.
Remote demonstration of payload execution
According to Checkpoint Research, once a malicious TeamViewer provides remote access, one of the first uses of AutoHotKey Scripts is to upload a screenshot from the affected PC.
Based on the Telemetry Record, this attack targets countries such as Nepal, Guyana, Kenya, Italy, Liberia, Bermuda, Lebanon, public sector finances and public officials.
Indicator of Compromise