Delaware, USA – January 29, 2019 – Trend Micro researchers uncovered a malicious campaign that spreads trojan spyware using a modified version of TeamViewer. A week and a half ago, a security researcher FewAtoms discovered a link to the malicious self-extracting SFX/SEA archive, which, under the guise of a program for remote access, installed a trojan on victims’ computers. The malware saves a series of files to user’s Temp directory, including the legitimate version of Teamviewer, and then adds a shortcut to the executable to the Startup folder. After that, the loader launches the program that launches a malicious library. Trojan collects detailed information about the system, including the rights of the current user and the presence of anti-virus solutions, and sends it to the attacker’s server, which could be linked to the CoinSteal malware and Fareit dropper. This connection may indicate a more extensive campaign. It is still not possible to determine a threat actor who is behind this operation.
This is not the first campaign that uses legitimate popular remote access software to distribute malware. Last year, attackers distributed Blackheart ransomware along with AnyDesk application for remote control between various operating systems. Teamviewer itself was also previously used to distribute ransomware, but this time the official website was not compromised. To detect suspicious software and malicious activity, you can use the Sysmon Framework rule pack with the Threat Hunting Framework.