Teamviewer BOT strikes again

IntSights Cyber Intelligence analysts discovered a new BOT comprised of infected Teamviewer users-

Called Teamviewer BOT.

Teamviewer BOT
Teamviewer BOT

Back in June 2016, users of the popular shared desktop application, Teamviewer, were allegedly targeted in a large scale cyberattack. Teamviewer discarded the claim (https://blog.teamviewer.com/recent-cyber-attacks/), stating that the site system wasn’t hacked, but rather, individual users’ accounts were compromised due to password re-use.

Last week, IntSights Cyber Intelligence analysts discovered a new BOT comprised of infected Teamviewer user accounts. Known as ‘Teamviewerbot’, it is sold on the Russian black market at the price of 500 USD, which includes a DOC macro exploit for infection, and a keylogger. This, along with previous discoveries by Kaspersky Labs, indicate that TeamViewer is indeed used for malicious purposes.

DOC macro exploit for infection
DOC macro exploit for infection

Several years ago, an APT Campaign identified by Kaspesrky Labs named “Operation Teamspy” used this mainstream software as an RAT to download and install malware into victims’ machines (https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/theteamspystory_final_t2.pdf ).

Recently it was also discovered that BackDoor.TeamViewerENT.1. (a backdoor Trojan for Microsoft Windows distributed under the name ‘Spy-Agent’) uses the TeamViewer remote control utility components to spy on users. The malware continues to receive the interest of potential buyers on the market, along with positive reviews by previous buyers.

A look at a sample video published by the threat actor - vzlomov - reveals that the malware is also known as ‘TVRAT’.

All these factors suggest that TeamViewer could indeed be used for malicious purposes. It is unclear if the latest discoveries by IntSights team are related to the alleged hack in June, but such activity could explain at least some of the phenomena Teamviewer users experienced - i.e. account takeovers. Since the advanced capabilities which ensure the tool is able to deliver malware into a secure network have been tested and proven, additional campaigns utilizing this penetration vector could be in the making, exploiting this vulnerability.

This Post was written by IntSights intelligence team leader, Ido Wulkan.

Stay up to Date!

Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.