After almost a four-year respite, the data-stealing TeamSpy malware has resurfaced, or at least that’s what a spam campaign detected over the weekend suggests, researchers say.
Researchers at the CrySyS Lab in Hungary originally identified the malware back in March 2013 when they traced it back to a years-long espionage campaign. At the time researchers surmised the attack, which was focused on high profile industrial, research, or diplomatic targets, may have been ongoing for up to 10 years.
Researchers from Danish firm Heimdal Security said on Monday they observed a new campaign launched over the weekend spreading the malware. The campaign relies heavily on spamming victims and tricking them into opening a rigged .zip file that’s disguised as an e-fax file.
Once the .zip file is opened, an .exe file that’s nested inside is activated and code – in the form of a malicious DLL (MSIMG32.dll) – is dropped onto the victim’s machine. The malware uses DLL hijacking to write system usernames and passwords to a text file, “Log%s#%.3u.txt,” and send them along to the attacker’s command-and-control server.
The malware is interested in more than just credentials, Andra Zaharia, a security evangelist with the firm, told Threatpost Thursday.
“The malware is not only capable of stealing credentials, but can also take screenshots, gather information about the computer’s operating system, details about the security products installed on it and more,” Zaharia said.
The malware, like incidents unearthed in 2013, includes components from the legitimate application TeamViewer, a remote support tool. While attackers previously blended TeamViewer components with malware modules, the most recent strain of attacks combines TeamViewer’s entire software.
According to Zaharia, a TeamViewer executable is among some of the files dropped into the victim’s %SystemDrive% file. TeamViewer .DLLs like TeamViewer_Resource_en.dll and TeamViewer_StaticRes.dll, as well as a VPN tool, and keylogger are also dropped.
Zaharia says the attack uses TeamViewer to thwart detection. By starting a TeamViewer session attackers can access encrypted content and sidestep two-factor authentication. All of this is done without the victim’s knowledge; the TeamViewer session makes the attackers practically invisible.
The firm says the campaign appears to be “highly related” to a series of spear phishing campaigns against Hungary. Those attacks employed LatentBOT, a strain of malware uncovered by researchers at FireEye in 2015 that’s lingered in the wild since 2013. The malware, while not present in the TeamSpy campaign, utilizes several layers of obfuscation, features what researchers call a unique exfiltration mechanism, and is known for being skilled at monitoring victims without being detected.
It’s unclear if this campaign is in anyway related to previously uncovered TeamSpy campaigns, but it wouldn’t be far fetched if the same group were involved.
CrySyS researchers said in 2013 there was a clear connection between samples it observed and that it was likely that one group was responsible for a series of campaigns it observed over a 10 year span targeting victims in the US, Canada, China and Brazil.
“The attackers use distinct tools for nearly every simple activity – this means that most likely the group is small and technically professional people carry out all types of activities, including strategic planning and executing the attacks,” CrySyS researchers said of the attacks at the time.
When reached on Tuesday a spokesperson for TeamViewer said the company was investigating Heimdal’s report but that it has no reason to assume a vulnerability in the software is in play.
“This is obviously a post-exploit action, so the real issue is the preceding malware infection,” TeamViewer said in a statement, adding that nonetheless users should still ensure they keep their software updated, avoid affiliate or bundles, and only download TeamViewer through official channels.
This article was updated on Friday, February 28 to include additional information from Heimdal Security.
