Over the weekend, Heimdal Security experts have noticed a brand new spam campaign transforming the TeamSpy malware into a spying software. Cybercriminals used the TeamSpy malware to get full access to the target computers.
The TeamSpy malware hit the headlines in 2013, when security experts at Hungary-based CrySys Lab found out a decade-long cyber espionage campaign targeting high-level political and industrial entities in Eastern Europe.
At that time, the hackers used the popular remote-access program TeamViewer alongside a specially developed malware to steal secret documents and encryption keys from the victims.
Nowadays, the latest wave of attacks targets social engineering manipulating users to install the TeamSpy malware on their computers.
The malware developers used DLL hijacking to execute unauthorized actions via legitimate software. The attach chain starts with spam email using the .zip file attachments such as:
Fax_02755665224.zip -> Fax_02755665224.EXE
Once the victim opens the zip archive, it executes the accompanying .exe file which drops the TeamSpy malware onto the victim’s computer, as a malicious DLL:
[% APPDATA%] \ SysplanNT \ MSIMG32.dll. That library then recorded via C: \ Windows \ system32 \ regsvr32. exe “/ s” [% APPDATA%] \ SysplanNT \ MSIMG32.dll
The security researchers claim that the TeamSpy malware includes various components in the otherwise legitimate TeamViewer application, and two of them are keylogger and a TeamViewer VPN.
The malware attacks which the Heimdal security team has registered, are very insidious for victims that will be not able to notice them.
“Given how the TeamSpy infection happens, it is clear that a TeamViewer session started by the attackers will be invisible to the victim. This can lead to numerous forms of abuse against the services that the logged in user runs on his/her computer.” the analysis shared by Heimdal Security states.
“This attack can also circumvent two-factor authentication and can also give cybercriminals access to encrypted content which is unencrypted by the users on their compromised computers.”