TeamSpy hackers get the crew back together after four-year hiatus Cybercrooks have once again begun slinging malware that subverts elements of the legitimate TeamViewer remote control app to snoop on victims. The tactic was previously seen in 2013. Attacks typically begin with booby-trapped emails harbouring malicious attachments that pose as eFax messages. If installed, the malicious code …
-- the article. For your enjoyment:
The attack uses social engineering and a booby-trapped email.
"The attached file is a zip file, which, when opened, triggers the accompanying .exe file to be activated. This causes for the malicious TeamSpy code to be dropped onto the victim’s computer, as a malicious DLL."
The infection process also does some other stuff (refer to link in article), with the results:
"...the TeamSpy malware includes various components in the otherwise legitimate TeamViewer application. A keylogger and a TeamViewer VPN are two of these components. ... At the same time, logs are copied to the 'Log% s #%. 3u.txt' while simultaneously adding all available user names and passwords to the same file. This file is then sent continuously to the following C & C server..." (etc)
Reffy, as in El Reg article: Heimdall security.
I must assume that Team Viewer has administrative rights even an a standard account? Otherwise, why would running a command to istall a DLL NOT set off the UAC? Seems like that should be a no no on any limited rights user account - maybe I've lost track of what permissions Windows gives to app-data files?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
