We’re used to seeing malware that exploits unpatched vulnerabilities in software. But in a new twist attackers are bundling an old version of remote access package TeamViewer with their malware in order to take advantage of a flaw.
The malware known as TVSPY has been uncovered by researchers at security companyDamballa. While the current version of TeamViewer has fixed this vulnerability, the bundled version works independently of any existing TeamViewer installation on the target PC.
Although TVSPY first appeared in 2012 researchers have seen more than four times the number of unique variants surface in 2015. It’s been distributed by a targeted email campaign which included a malicious Excel file with a macro to download the malware. The email purported to come from the All-Russian Research and Design Institute of Nuclear and Energy Engineering. Analysis of the command and control server for this latest variant suggests it’s owned by professional criminals.
The researchers point out that, “This particular threat is very dangerous as the attacker will have total control over the affected machine. It can be used during a regular infection campaign or by some advanced persistent threat actors for specific attacks against particular targets”.
More information about the threat including how to tell if your system is compromised is available on the Damballa blog.