Trojan found lurking in a fake TeamViewer executable file

  • A malicious URL discovered by a security researcher is believed to be a Trojan disguising as a TeamViewer file.
  • Codenamed as TROJANSPY.WIN32.TEAMFOSTEALER.THOABAAI, the spyware downloads malicious files to steal data from the system.

A week ago, a security researcher who goes by the name ‘FewAtoms’ uncovered a Trojan that apparently disguises itself as a TeamViewer executable file. Present in a malicious URL, the spyware steals data from the victim’s computer after infection.

Malicious URL does the work

Security company Trend Micro labelled this trojan as ‘TROJANSPY .WIN32. TEAMFOSTEALER.THOABAAI’. Once it’s installed in the user’s system from the malicious URL, the spyware also downloads a set of additional files to execute. These files mainly help gather information from the system.

“After arriving on the victim’s system, the malware executes the TeamViewer.exe file, which loads the malicious DLL %User Temp%\PmIgYzA\TV.dll. The trojan spyware then gathers user and device data (listed below) and connects to the website hxxp://intersys32[.]com to send and receive this information.” explained the blog by Trend Micro.

In addition to that, the malicious URL ‘hxxp://intersys32[.]com’ contains other malware such as CoinSteal and Fareit.

TeamViewer has been used by miscreants for many similar attacks in the past. Back in 2017, a cybercrime group created TeamSpy, a malware that installed TeamViewer secretly into systems to enable full control of systems by the attackers.

As a consequence, attackers could steal data and execute malicious programs in these infected systems. What’s scary is that attackers encrypt the TeamViewer traffic making it look legitimate and indistinguishable from normal traffic.

Emotet Trojan Targets Education, Gov and Healthcare

As 2018 rounded to a close, Malwarebytes predicted that Emotet and Trickbot were the future of malware, and the third annual State of Malware Report released today confirms that the Trojan families spread wildly, most often targeting the education, government, manufacturing and healthcare sectors.

The old adage, “When one goes up, the other comes down,” rang true with malware attacks in 2018. By the second quarter of the year, there was a notable decline in crypto-mining attacks, which saw only a 7% year-over-year increase; however, there was significant rise in information-stealing malware. The former banking Trojans Emotet and TrickBot plagued the education industry, while manufacturing suffered attacks from WannaCrypt and Emotet.

“The year 2018 was action-packed from start to finish,” said Adam Kujawa, director of Malwarebytes Labs, in a press release. “It began with threat actors diversifying their cryptomining tactics; broadening their reach to Android, Mac and cryptomining malware; and experimenting with new innovations in browser-based attacks.”

Seven categories of malware were detected within businesses, with Trojans, RiskWare tool, backdoors and spyware as the top four as a result of a more than 100% year-over-year increase. Vools was the top detection among backdoor compromises, according to the report.

“Year after year, we see cyber perpetrators finding new (and old) avenues for monetizing on their attacks. Regardless of whether it is ransomware, mineware or ‘good old’ Trojans and info stealers, the strategy is the same: find the weakest link and abuse it for initial infiltration, then deploy the ‘profit module’ of your choice,” said Matan Or-El, co-founder and CEO of Panorays.

If the report offered any good malware news, it was that consumer attacks declined, despite business threats increasing by 79%. “Despite the focus on business targets, consumer malware detections only decreased by three percent year over year, thanks to increases in backdoors, Trojans, and spyware malware categories throughout 2018. While 2017 saw 775,327,346 consumer detections overall, 2018 brought with it about 25 million fewer instances of infection – a healthy decrease in number, percentages aside,” the report said.

Last year also witnessed a rise in rogue app attacks, with extensions that fooled both users and app stores into thinking they were legitimate. Also, as Infosecurity reported, Magecart covered a lot of ground in its widespread attacks on e-commerce sites.

Finally, sextortion made its way to the top 10 takeaways list. “Major scams for the year capitalized on stale PII from breaches of old. Phishing emails were blasted out to millions of users in extortion (or in some cases, sextortion) attempts, flashing victims’ old, but potentially still viable, passwords and warning them that they’d expose their secrets if they didn’t pay up.”