Backdoor Trojan Uses TeamViewer Components to Spy on PCs in Europe, Russia, US

Share this…

Crooks also delivering keyloggers and password stealers. A new trojan called BackDoor.TeamViewerENT.1 is using parts of the legitimate TeamViewer application to allow crooks to spy on infected systems.

The concept is not new by any means, and crooks employed TeamViewer in the past, when they packaged the legitimate app alongside their malware and used it to transform the user’s PC into a web proxy.

That particular trojan, BackDoor.TeamViewer.49, did not allow the crooks to steal anything, only to spy on traffic, but this newer variant does, according to Dr.Web security researchers.

In fact, the two variants seem to be related because they both use stripped-down versions of the TeamViewer application, where they replace the avicap32.dll file with a malicious version that loads trojan’s malicious features.

Trojan includes many self-defense mechanisms

The infection process revolves around users installing applications, where the stripped-down TeamViewer version is also installed without their knowledge.

Whenever this modified TeamViewer version starts, the avicap32.dll is loaded by default, being a must-run DLL. Crooks modified this DLL to include the BackDoor.TeamViewerENT trojan, which gets loaded into the computer’s memory, without needing any files on disk to function. This fileless operation mode makes antivirus detection harder.

The modified DLL also contains functions to suppress any TeamViewer error messages, a functionality included to avoid giving away the trojan’s presence.

Another odd feature is that, whenever the user starts the Windows Task Manager or Process Explorer apps, the trojan automatically shuts down (the parent TeamViewer process) to avoid getting seen by the victim in the process list.

Backdoor trojan includes lots of RAT-looking features

After this, BackDoor.TeamViewerENT.1 begins to behave like a regular backdoor. It starts communicating with its C&C server, from where it receives various types of commands.

The trojan includes the ability to restart or turn off the computer, remove or relaunch its parent TeamViewer process, listen to conversations via the microphone, access the webcam, download and execute files, run command-line instructions, or connect to specified remote servers.

As you can see, these are full-on RAT features. Additionally, Dr.Web says it detected a campaign where crooks used the trojan to download and install other malware like keyloggers and password stealers.

During their investigation, security researchers found the trojan was very active, especially targeting Russian users, but also users in the UK, Spain, and the US. Attackers switched focus to US targets in August, says the security vendor.

BackDoor.TeamViewerENT - US campaign

BackDoor.TeamViewerENT – US campaign

Some of this trojan’s other names are Spy-Agent, TVSPY, TVRAT, or Teamspy. Last week, Kaspersky detected that the criminal group delivering the Shade ransomware also integrated this trojan in their distribution channel.

Crooks were using it to spy on infected targets and see if they were valuable targets. Kaspersky says the crooks specifically focused on accounting departments at Russian-speaking companies.

TeamViewer, which is a legitimate application, is not the only application that’s been abused by cyber-criminals in the past month.

The same happened to LogMeIn, another remote desktop utility, which crooks used together with the PosCardStealer PoS malware. The criminal group was hacking into computers that had LogMeIn installed and leaving their PoS malware behind.

BackDoor.TeamViewerENT - Russian campaign

BackDoor.TeamViewerENT – Russian campaign