Users ofÂ the TeamViewer remote-access service have beencomplaining in recent weeks about how their systems have been hacked into, unauthorized purchases made on their cards, their bank accounts emptied. Initially it was believed that this was due to a hack into TeamViewer itself, but the company has denied this. Instead, they have blamed password re-use, especially with millions of old passwords in the wild thanks to disclosed social networkÂ breaches.
Others have speculated that malware could be in use somehow, and that may be the case. We have evidence that trojanizedÂ TeamViewer installer packages have been used in a spam campaign that resulted in attackers gaining remote access to various systems. While this particular spam campaign used an old version of TeamViewer, we canâ€™t dismiss the possibility of other attacks using newer versions.
This spam campaign targeted users in Italy, using a variety of subject lines such as the following (English translation in parenthesis):
- Accesso dati (Data access)
- Il tuo ID e stato usato (Your ID was used)
- Prova gratuita 30 giorni (Free 30-day trial)
- Conferma dellâ€™ordine (Order conformation)
- Il tuo conto informazione (Your account information)
- Finanziamento?????? (Financing)
- A keylogger, detected asÂ TSPY_DRIDEX.YYSUV
- A â€śTrojanizedâ€ť version of TeamViewer, detected asÂ BKDR_TEAMBOT.MNS.
- A batch file which executed the above two items, then deletes itself
This particular Trojanized version that the malware installs is very old â€“ versionÂ 6.0.17222.0. TeamViewer 6 was first released in December 2010 and was superseded by version 7 in November 2011. Secondly, it is installed in an unusual location:Â %APPDATA%\Div. (Some variants installed their copy into %APPDATA%/AddinsÂ instead.)Â This behavior is consistent acrossÂ all the various permutations of this attack we have seen.
This version of TeamViewer was Trojanized, but not by modifying the legitimate version. Instead, itÂ includesÂ anÂ additional DLL â€“ avicap32.dll. (This malicious DLL is detected as BKDR_TEAMBOT.DLL.) InÂ a classic case of DLL search order hijacking; the legitimate TeamViewer applications loads two functions from this DLL; the legitimate version of which is a part of Windows. However, the presence of the malicious version allows an attacker to take control of the TeamViewer application.
This particular campaign targeted users in Italy for a month, ample time to gather all of a victimâ€™s usernames and passwords.Â The presence of a Trojanized TeamViewer version raises the possibility that a newerÂ version may exist in the wild and account for some of the recent attacks.
One more thing to note is that the TeamViewer administratorsÂ may be able to limit the damage of old versions. All TeamViewer connections are initially mediated by company servers. It may be possible for connections from these unsupportedÂ versions to be disconnected at this handshake stage, preventing any malicious use from progressing. It would unfortunately also cut out any users of these old versions.
Trend Micro endpoint solutions such asÂ Trend Microâ„˘ Security,Â Smart ProtectionÂ Suites,Â andÂ Worry-Freeâ„˘Â Business SecurityÂ can protect users and SMBs from this threat by detecting malicious files, and spammed messages as well as blocking all related malicious URLs. On the other hand, our Trend Micro Deep DiscoveryÂ has an email inspection layer that can protect enterprises by detecting malicious attachments and URLs.