Trojan found lurking in a fake TeamViewer executable file

  • A malicious URL discovered by a security researcher is believed to be a Trojan disguising as a TeamViewer file.
  • Codenamed as TROJANSPY.WIN32.TEAMFOSTEALER.THOABAAI, the spyware downloads malicious files to steal data from the system.

A week ago, a security researcher who goes by the name ‘FewAtoms’ uncovered a Trojan that apparently disguises itself as a TeamViewer executable file. Present in a malicious URL, the spyware steals data from the victim’s computer after infection.

Malicious URL does the work

Security company Trend Micro labelled this trojan as ‘TROJANSPY .WIN32. TEAMFOSTEALER.THOABAAI’. Once it’s installed in the user’s system from the malicious URL, the spyware also downloads a set of additional files to execute. These files mainly help gather information from the system.

“After arriving on the victim’s system, the malware executes the TeamViewer.exe file, which loads the malicious DLL %User Temp%\PmIgYzA\TV.dll. The trojan spyware then gathers user and device data (listed below) and connects to the website hxxp://intersys32[.]com to send and receive this information.” explained the blog by Trend Micro.

In addition to that, the malicious URL ‘hxxp://intersys32[.]com’ contains other malware such as CoinSteal and Fareit.

TeamViewer has been used by miscreants for many similar attacks in the past. Back in 2017, a cybercrime group created TeamSpy, a malware that installed TeamViewer secretly into systems to enable full control of systems by the attackers.

As a consequence, attackers could steal data and execute malicious programs in these infected systems. What’s scary is that attackers encrypt the TeamViewer traffic making it look legitimate and indistinguishable from normal traffic.