teamviewer Backdoor Trojan Uses TeamViewer Components to Spy on PCs in Europe, Russia, US

[vissha]

Backdoor Trojan Uses TeamViewer Components to Spy on PCs in Europe, Russia, US

 

 

Crooks also delivering keyloggers and password stealers

 

Quote

A new trojan called BackDoor.TeamViewerENT.1 is using parts of the legitimate TeamViewer application to allow crooks to spy on infected systems.

 

The concept is not new by any means, and crooks employed TeamViewer in the past, when they packaged the legitimate app alongside their malware and used it to transform the user's PC into a web proxy.

 

That particular trojan, BackDoor.TeamViewer.49, did not allow the crooks to steal anything, only to spy on traffic, but this newer variant does, according to Dr.Web security researchers.

 

In fact, the two variants seem to be related because they both use stripped-down versions of the TeamViewer application, where they replace the avicap32.dll file with a malicious version that loads trojan's malicious features.

 

Trojan includes many self-defense mechanisms

 

The infection process revolves around users installing applications, where the stripped-down TeamViewer version is also installed without their knowledge.

 

Whenever this modified TeamViewer version starts, the avicap32.dll is loaded by default, being a must-run DLL. Crooks modified this DLL to include the BackDoor.TeamViewerENT trojan, which gets loaded into the computer's memory, without needing any files on disk to function. This fileless operation mode makes antivirus detection harder.

 

The modified DLL also contains functions to suppress any TeamViewer error messages, a functionality included to avoid giving away the trojan's presence.

 

Another odd feature is that, whenever the user starts the Windows Task Manager or Process Explorer apps, the trojan automatically shuts down (the parent TeamViewer process) to avoid getting seen by the victim in the process list.

 

Backdoor trojan includes lots of RAT-looking features

 

After this, BackDoor.TeamViewerENT.1 begins to behave like a regular backdoor. It starts communicating with its C&C server, from where it receives various types of commands.

 

The trojan includes the ability to restart or turn off the computer, remove or relaunch its parent TeamViewer process, listen to conversations via the microphone, access the webcam, download and execute files, run command-line instructions, or connect to specified remote servers.

 

As you can see, these are full-on RAT features. Additionally, Dr.Web says it detected a campaign where crooks used the trojan to download and install other malware like keyloggers and password stealers.

 

During their investigation, security researchers found the trojan was very active, especially targeting Russian users, but also users in the UK, Spain, and the US. Attackers switched focus to US targets in August, says the security vendor.

 

 

Some of this trojan's other names are Spy-Agent, TVSPY, TVRAT, or Teamspy. Last week, Kaspersky detected that the criminal group delivering the Shade ransomware also integrated this trojan in their distribution channel.

 

Crooks were using it to spy on infected targets and see if they were valuable targets. Kaspersky says the crooks specifically focused on accounting departments at Russian-speaking companies.

 

TeamViewer, which is a legitimate application, is not the only application that's been abused by cyber-criminals in the past month.

 

The same happened to LogMeIn, another remote desktop utility, which crooks used together with the PosCardStealer PoS malware. The criminal group was hacking into computers that had LogMeIn installed and leaving their PoS malware behind.

 

 

 

Source

[knowledge-Spammer]

its y best never to use patched versions of this program   much things can be added to TeamViewer  that people maynot no about

[straycat19]

And Microsoft integrated TeamViewer into Windows 10, creating another 'flaw' that can be exploited, which is what I said would happen in the original post notifying us that they were going to do the integration.  That is proof you don't have to be a genius to be better than Microsoft at figuring out the future.  Microsoft should make me the CEO.  First thing I would do is fire all the managers, and then tell the developers to rewrite Windows 10 without any Apps and no data collection of any type, just the pure OS.  All apps would be optional to install from the programs and files settings.  There would be no restrictions on registry edits or customizations.  And lastly there would only be one version of Windows, and we would call it FREE FOREVER.  Yes, FREE.  No stupid activation hoops to jump through.  An OS that would be configurable to meet the requirements of business and home users.  Sorry, been daydreaming.

[Holmes]

Teamviewer is going to get wind of this and issue a fix dont worry.  Stray nice copy and paste job.