Sat. Jun 6th, 2020

Hackers Continuously Tweak TeamViewer Malware to Evade Detection

Recently, it was reported that several embassies in Europe, including those of Nepal, Guyana, Kenya, Italy, Liberia, Bermuda, and Lebanon, were the victims of an email attack.


During the attack, hackers used a trojanized version of TeamViewer — a widely used remote access and desktop sharing software — to gain full control of the infected computer.


In the report, security experts at CheckPoint focused on a single cybercriminal who goes by the handle EvaPiks. And they believe that individually or with the help of other cybercriminals, EvaPiks has been able to alter TeamViewer to suit the needs of various attacks.


For example, in the first known instance, research shows variants in the malicious dynamic link library allowed the malware to send some information back to the attacker and to self-delete if needed. In the second version, however, the hacker altered the malware by adding more features including a new command-and-control module and offered a list of targets that might be of interest.


But, the third version, which is the most current and was used in the embassy attacks, the altered malware removes the command system, adds a dynamic link library execution feature, and relies on external AutoHotKey scripts for information gathering as well as credential exfiltration, the research shows. Additionally, Check Point reports that AutoHotKey, an open-source custom scripting language for Windows, was used to take screenshots of the PCs targeted in the attacks.


According to Nathan Wenzler, a senior director of cybersecurity at Moss Adams, the continuous modifications to the TeamViewer malware “is a perfect illustration of why these attacks continue and why they’re so hard to defend against.”


“Attackers changing the code they use, even slightly, can put security teams even more on the defensive if they are not anticipating these shifts,” Wenzler says.


“Even when we discover a new form of malware, as the source code is being shared, all it takes is for one minor change or a new function from a different chunk of code to be embedded, and suddenly, you have a whole new strain of malware,” Wenzler says. “When people struggle to understand why the security industry doesn’t seem to make as much progress as it should, this is just a single, prime example of the complexity and fluid nature of what we’re up against.”