IMPORTANT Backdoor Trojan Uses TeamViewer Components to Spy on PCs in Europe, Russia, US stripped-down version of the TeamViewer

If you are still using LogicNow/GFI you/your clients are probably susceptible to this Trojan. In fact, the two variants seem to be related because they both use stripped-down versions of the TeamViewer

MspPortal Partners  new RMM product uses the commercial version of TeamViewer not the stripped-down Version, is not affected by this.

Aug 16, 2016 12:29 GMT  ·  By Catalin Cimpanu

A new trojan called BackDoor.TeamViewerENT.1 is using parts of the legitimate TeamViewer application to allow crooks to spy on infected systems.

The concept is not new by any means, and crooks employed TeamViewer in the past, when they packaged the legitimate app alongside their malware and used it to transform the user’s PC into a web proxy.

That particular trojan, BackDoor.TeamViewer.49, did not allow the crooks to steal anything, only to spy on traffic, but this newer variant does, according to Dr.Web security researchers.

In fact, the two variants seem to be related because they both use stripped-down versions of the TeamViewer application, where they replace the avicap32.dll file with a malicious version that loads trojan’s malicious features.
“Trojan includes many self-defense mechanisms”

The infection process revolves around users installing applications, where the stripped-down TeamViewer version is also installed without their knowledge.

Whenever this modified TeamViewer version starts, the avicap32.dll is loaded by default, being a must-run DLL. Crooks modified this DLL to include the BackDoor.TeamViewerENT trojan, which gets loaded into the computer’s memory, without needing any files on disk to function. This fileless operation mode makes antivirus detection harder.

The modified DLL also contains functions to suppress any TeamViewer error messages, a functionality included to avoid giving away the trojan’s presence.

Another odd feature is that, whenever the user starts the Windows Task Manager or Process Explorer apps, the trojan automatically shuts down (the parent TeamViewer process) to avoid getting seen by the victim in the process list.
“Backdoor trojan includes lots of RAT-looking features”

After this, BackDoor.TeamViewerENT.1 begins to behave like a regular backdoor. It starts communicating with its C&C server, from where it receives various types of commands.

The trojan includes the ability to restart or turn off the computer, remove or relaunch its parent TeamViewer process, listen to conversations via the microphone, access the webcam, download and execute files, run command-line instructions, or connect to specified remote servers.

As you can see, these are full-on RAT features. Additionally, Dr.Web says it detected a campaign where crooks used the trojan to download and install other malware like keyloggers and password stealers.

During their investigation, security researchers found the trojan was very active, especially targeting Russian users, but also users in the UK, Spain, and the US. Attackers switched focus to US targets in August, says the security vendor.

Some of this trojan’s other names are Spy-Agent, TVSPY, TVRAT, or Teamspy. Last week, Kaspersky detected that the criminal group delivering the Shade ransomware also integrated this trojan in their distribution channel.

Crooks were using it to spy on infected targets and see if they were valuable targets. Kaspersky says the crooks specifically focused on accounting departments at Russian-speaking companies.

TeamViewer, which is a legitimate application, is not the only application that’s been abused by cyber-criminals in the past month.

The same happened to LogMeIn, another remote desktop utility, which crooks used together with the PosCardStealer PoS malware. The criminal group was hacking into computers that had LogMeIn installed and leaving their PoS malware behind.

Managed Service Provider for the following products:
MspPortal Partners Inc. Software Family
MspEncryptMail | MspSecureMail | MspMailfilter | MspAntivirus | MspManagedNetwork | MspSecureBackup | MspSecureDoc

Roy Miehe | MspPortal Partners Inc. | Ceo/President  Where Service and Technical Skills Count

Comments are closed.

%d bloggers like this: