TeamViewer is a file-sharing and communication program that also lets IT teams remotely access devices of enterprise employees. Unfortunately, its power as an enterprise tool also makes it popular for cybercriminals, and TeamViewer has, in fact, been used in a range of cybercriminal operations from account abuse hacking to phishing schemes. Recently, we investigated another case of misuse.
On January 20, a security researcher going by FewAtoms spotted a malicious URL in the wild. The URL is an open directory that leads would-be victims to a malicious self-extracting archive. Upon further analysis of the archive, we found that it is trojan spyware (detected by Trend Micro as TROJANSPY.WIN32.TEAMFOSTEALER.THOABAAI) that gathers and steals data disguised as TeamViewer. If successfully downloaded and executed on a victim’s device, the trojan spy creates the folder %User Temp%\PmIgYzA and drops the following files:
%User Temp%\PmIgYzA\TV.dll (malicious payload)
%User Startup%\Gateway Layer 1.3957.lnk (shortcut link to dropped TeamViewer.exe)
As well as some non-malicious files:
(Note: %User Temp% is the current user's Temp folder; %User Startup% is the current user's Startup folder)
Figure 1. Files dropped by the Trojan spyware
After arriving on the victim’s system, the malware executes the TeamViewer.exe file, which loads the malicious DLL %User Temp%\PmIgYzA\TV.dll. The trojan spyware then gathers user and device data (listed below) and connects to the website hxxp://intersys32[.]com to send and receive this information.
Presence of AV Products
Digging into the site revealed other malware connected to that particular URL, such as the trojan CoinSteal and another information stealer and malware dropper called Fareit. This could hint at a bigger operational campaign of trojan spyware.
Figure 2. Malware connected to the intersys32 URL
Prevention and Solution
This type of TeamViewer misuse is not new. Malware developers have been known to use the tool to deliver backdoors and keyloggers in a similar way as far back as 2016. We saw that the tool was trojanized by adding a malicious DLL to a legitimate version to be loaded onto a victim’s device. In 2017, a published report also showed how TeamViewer was being used to control an infected machine, not merely as a malware loader.
Given the possibilities of abuse and the recent schemes to deliver malware disguised as legitimate software, users should secure their endpoints with multilayered protection.
The following Trend Micro products can protect users from this threat:
The malware described in this article is not the official TeamViewer software. It is a modified, pirated version of the software. It is strongly recommended to download the software only from the official TeamViewer website. Obtaining software from a reputable source is the best way to protect against threats like the trojan spyware described here. TeamViewer recommends to always use the latest version of its software in order to benefit from the latest security precautions.