TeamSpy Data-Stealing Malware at It Again with New Spam Campaign


Attackers demand lots of ways of gaining access to a target’s information. One of their espoused attack vectors is exploiting careless end user behavior. This is uncommonly true when it comes to users who don’t adequately protect their web accounts.

For illustration, bad actors targeted users of TeamViewer, software which allows IT dab hands to gain remote desktop access, on two separate occasions in the first half of 2016. In both set-tos, observers thought someone had hacked TeamViewer or that the company had not implemented suitable security measures. But the company revealed that careless behavior, i.e. alcohols reusing weak passwords across their accounts, had helped attackers rise access to victims’ computers. Nothing had happened with TeamViewer itself.

The but can be said about TeamSpy. First discovered in 2013, TeamSpy is a chewing-out share of malware that uses TeamViewer software, which like sundry applications loads external code known as Dynamic Link Libraries (DLLs). The malware effective uses by implementing a technique known as DLL Hijacking. This involves tricking the TeamViewer persistence loader into executing malicious code.

The CrySyS Lab elaborates on the censure in a report (PDF):

“The attackers install an original, legitimate TeamViewer instance on the sucker computer, but they modify its behavior with DLL hijacking, and they procure remote access to the victim computers in real-time. Therefore, the attackers are not no greater than able to remotely observe the infected computers, but they can also barbarism TeamViewer to install other tools to obtain important information, chronologizes, and other data from the victim.”

DLL Hijacking is possible with diligences depending on how they call DLLs. This doesn’t mean the distressed applications are inherently unsafe, however. On the contrary, the technique oftentimes professions if and only if attackers trick users into downloading a malicious DLL onto their computers key. Bad actors usually turn to social engineering techniques for that aspire.

Case and point, Heimdal Security recently discovered an attack competition that leverages email spam to infect users with TeamSpy.

Let’s bistro into the specifics of this operation.

TeamSpy Email Spam

The offensive begins when a user receives an email from a spoofed profit address. Most of the time, the subject line has something to do with an eFax intelligence. The attachment, “,” reinforces this ploy.

But the attachment is not what it enter into the pictures to be.

As Heimdal’s security evangelist Andra Zaharia explains in a blog prop:

“The attached file is a zip file, which, when opened, triggers the accompanying .exe document to be activated. This causes for the malicious TeamSpy code to be dropped onto the chump’s computer, as a malicious DLL:

“[% APPDATA%] SysplanNT ​​ MSIMG32.dll. That library then transcribed via C: Windows system32 regsvr32. exe “/ s” [% APPDATA%] SysplanNT ​​ MSIMG32.dll”

At times activated, TeamSpy loads up a keylogger. This component collects a schnook’s usernames and passwords, assembles it into a file, and continuously sends it to its request and control (C&C) server. Meanwhile, the victim remains oblivious to the hidden TeamViewer assembly that powers TeamSpy.

The attack, which can circumvent various gage protections including two-step verification (2SV), has a 31/58 VirusTotal detection value as of 22 February 2017.

The Need for Security Awareness

Reflecting on the TeamSpy email fit, Heimdal’s CEO Morten Kjærsgaard feels organizations need to invest in surety awareness:

“This type of attack, as many others that use equivalent tactics, highlights (once again) how critical basic cyber guarding education is. Cyber hygiene, as we call it, is fundamental to our lives, as we can no longer haul a clear line between our online and our ‘offline’ lives.”

In Kjærsgaard’s dress down, this means knowing four things:

  • Which emails to exposed and which to mark as spam.
  • Which email attachments to avoid and not under any condition touch.
  • The main tactics that cybercriminals use to infect your computer.
  • How cognitive manipulation is part of every attack.

By familiarizing themselves with surety best practices, users can take their digital security into their own helps and choose tools that are designed to protect their data. They can also watch out for following attack campaigns like the TeamSpy operation explained above.

Leave a Reply

Your email address will not be published. Required fields are marked *