Teamviewer is the best-known tool for remote desktop control, desktop sharing, online meetings, web conferencing and file transfer. Based on the entire infection chain and the instruments designed and used for this attack, subterranean activities make the researchers believe that the attack was carried out by a financially motivated Russian-speaking hacker. Recent malicious campaign continually uses TeamViewer to provide powerful malware that Steals sensitive data and money from diverse government and financial networks with malicious Team Viewer DLL.
Weaponized TeamViewer Infected Chain
The initial stage of the infection chain starts by sending a spam mail to the attached malicious XLSM document containing integrated macros in the “Military Financing Programme.” As the US Department of State, it is a well-crafted malicious document that is a top secret to persuade the victims to open it. Once the victims open the macro decoy document, the XLSM document extracts two files from the hex-encoded cells. First is a legitimate AutoHotkeyU32.exe program, the second is an AutoHotkeyU32.ahk that is an AHK script for communicating with the C&C server and downloading and executing the additional script.
There are three malicious AHK scripts which can carry out different activities, In this case, threat protagonists using the TeamViewer DLL side loading technology (htv.ahk) and this technique allows attackers to add more functionality to the TeamViewer. Use this technique to prevent attackers from seeing the TeamViewer interface and to save current session credentials of TeamViewer to a text file, enabling them to transfer and execute additional EXE o DLL files.
Remote demonstration of payload execution According to Checkpoint Research, once a malicious TeamViewer provides remote access, one of the first uses of AutoHotKey Scripts is to upload a screenshot from the affected PC. Based on the Telemetry Record, this attack targets countries such as Nepal, Guyana, Kenya, Italy, Liberia, Bermuda, Lebanon, public sector finances and public officials. Indicator of Compromise DLLs 013e87b874477fcad54ada4fa0a274a2 799AB035023B655506C0D565996579B5 e1167cb7f3735d4edec5f7219cea64ef 6cc0218d2b93a243721b088f177d8e8f aad0d93a570e6230f843dcdf20041e1e 1e741ebc08af09edc69f017e170b9852 c6ae889f3bee42cc19a728ba66fa3d99 1675cdec4c0ff49993a1fcbdfad85e56 72de32fa52cc2fab2b0584c26657820f 44038b936667f6ce2333af80086f877f Documents 4acf624ad87609d476180ecc4c96c355 4dbe9dbfb53438d9ce410535355cd973 C&Cs 1c-ru[.]net/check/license intersys32[.]com/3307/ 146.0.72[.]180/3307/ 146.0.72[.]180/newcpanel_gate/gate.php 185.70.186[.]145/gate.php 185.70.186[.]145/index.php 193.109.69[.]5/3307/gate.php 193.109.69[.]5/9125/gate.php