A targeted, email-borne attack against embassy officials and government finance authorities globally is making use of a malicious attachment disguised as a top-secret U.S. document. It weaponizes TeamViewer, the popular remote-access and desktop-sharing software, to gain full control of the infected computer.
While the tactics and targets are APT-like, Check Point researchers suspect that the cyberattacker behind the effort is actually financially motivated.
Social Engineering + TeamViewer
The attack starts with an email claiming to send the target information about a U.S. “Military Financing Program.” The attacked Excel file is marked “Top Secret” and purports to be from the U.S. State Department. According to Check Point, which has been following the campaign, the document is “well-crafted,” with little to tip off the recipient that anything is awry other than the fact that the attachment name is in Cyrillic.
Potential victims are prompted to enable macros, and once they do, a legitimate AutoHotkeyU32.exe program is launched, along with an AHK script, which fetches three additional AHK script URLs from the command-and-control (C2) server.
The scripts take screenshots of the victim’s PC and capture the victim’s username and computer information, sending that to the C2. The third script also downloads a malicious version of TeamViewer.
“The malicious TeamViewer DLL (TV.DLL) is loaded via the DLL side-loading technique, and is used to add more functionality to TeamViewer by hooking windows APIs called by the program,” Check Point researchers explained in a Monday posting.
These APIs hide the TeamViewer interface so that the user would not know it is running; save TeamViewer session credentials to a text file; and allow the transfer and remote execution of additional executable or DLL files.
Once the malicious TeamViewer is up and running, the adversary sets about using its remote desktop functionality to gain access to the targeted system as if he or she were a legitimate user of the computer.
The custom build of TeamViewer isn’t that sophisticated, according to Check Point – however, it has been very successful.
“We have seen at least five different officials, each from different country, infected with it,” Lotem Finkelsteen, threat intelligence group manager at Check Point, told Threatpost. “The attacker succeeded in taking screenshots and fingerprinting the computers of these officials. The screenshots assisted him with filtering in and out victims, based on their identity and position. We know the attacker established full remote access to those victims, using the weaponized TeamViewer. Once he gained remote control, it has unlimited access to the infected machine and connected networks.”
Victimology and a Pattern of Attacks
Interestingly, the threat actors kept the screenshots from the compromised PC in an exposed directory that Check Point researchers were able to access for a while before the view was disabled. This, combined with information from the firm’s own telemetry, allowed the researchers to ascertain the identity of certain victims, who are located in Bermuda, Guyana, Italy, Kenya, Lebanon, Liberia and Nepal.
“It is hard to tell if there are geopolitical motives behind this campaign by looking solely at the list of countries it was targeting, since it was not after a specific region and the victims came from different places in the world,” Check Point researchers noted. “Nevertheless, the observed victims list reveals a particular interest of the attacker in the public financial sector, as they all appear to be handpicked government officials from several revenue authorities.”
The campaign is the latest iteration of an ongoing offensive using a trojanized version of TeamViewer, which stretches back to last year. The initial infection vector used by the threat actors has changed over time, using for instance self-extracting archives instead of malicious documents with AutoHotKey.
In terms of mitigation, Finkelsteen told Threatpost that it comes down to common sense.
“If you were not expecting an email from the U.S. government discussing a top secret subject, just do not open it,” he said. “In general, these luring documents address our curiosity and lure us to execute the infection chain.”
Attribution — Not an APT?
Check Point managed to trace the breadcrumbs from the attack back to a Russian-speaking cybercriminal going by the handle “EvaPiks,” active in multiple Dark Web conversation threads.
“Although in such campaigns it is usually unclear who is behind the attack, in this case we were able to locate a user who appears to be behind the aforementioned activity active in several online forums, or is at least the creator of the tools used in the attack.”
EvaPiks appears to be the helpful sort, sharing tactics and techniques with others in the forums. Among the tips are other postings by EvaPiks, like mentions of a URL used in one of the attacks, and code snippets that match the code used in the latest attack.
“Some of the variable names, such as ‘hextext’ were not even changed,” according to Check Point.
One of the forums frequented by EvaPiks was an illegal Russian carding forum, where stolen credit-card information is bought and sold.
In all, the picture emerges of an adversary who is still learning the ropes and who is not likely to be part of a larger nation-state backed group.
“On the one hand … this appears to be a well thought-out attack that carefully selects a handful of victims and uses tailored decoy content to match the interests of its target audience,” the researchers noted. “On the other hand, some aspects of this attack were carried out with less caution, and have exposed details that are usually well disguised in similar campaigns, such as the personal information and online history of the perpetrator, as well as the outreach of their malicious activity.”
Ultimately, “the developer behind the attack in underground carding forums and the victim’s characteristics may imply that the attacker is financially motivated,” according to Check Point.
Finkelsteen told Threatpost, “Considering EvaPiks’ history, one possible explanation may be gaining access to exclusive bank accounts – governmental ones. However, we would have expected to see it in early stages of the attack, but we didn’t see it. Another possible explanation is that a successful infection chain was leverage to some other espionage campaign. Unfortunately, it is not clear yet.”
This post was updated at 2:27 p.m. on Monday, April 22, to include comments from an email interview with the researcher.
Don’t miss our free Threatpost webinar, “Data Security in the Cloud,” on April 24 at 2 p.m. ET.
A panel of experts will join Threatpost senior editor Tara Seals to discuss how to lock down data when the traditional network perimeter is no longer in place. They will discuss how the adoption of cloud services presents new security challenges, including ideas and best practices for locking down this new architecture; whether managed or in-house security is the way to go; and ancillary dimensions, like SD-WAN and IaaS.