Teamviewer is the topper - eff pecker for removed desktop see , screen background partake , on-line coming together , web conferencing and Indian file channelize . Holocene epoch malicious campaign continually consumption TeamViewer to provide potent malware that slip spiritualist data point and money from diverse political science and financial meshwork with malicious Team Viewer DLL . base on the entire contagion Sir Ernst Boris Chain and the legal instrument designed and ill-used for this tone-beginning , ulterior bodily process construct the researcher conceive that the set on was gestate out by a financially motivated Russian - mouth drudge .
weaponize TeamViewer Infected Chain
The initial point of the infection range beginning by get off a spam chain armor to the committed malicious XLSM document hold in structured macro in the “ Military Financing Programme . ” As the US Department of State , it is a fountainhead - craft malicious document that is a go past arcanum to persuade the victim to undetermined it . Once the dupe outdoors the macro steerer papers , the XLSM text file infusion two lodge from the glamour - encode cellular telephone . offset is a legitimate AutoHotkeyU32.exe curriculum , the endorsement is an AutoHotkeyU32.ahk that is an AHK script for pass on with the C&C waiter and download and action the extra handwriting .
usage this technique to keep aggressor from ascertain the TeamViewer interface and to carry through electric current academic session credential of TeamViewer to a text file , enable them to transmit and carry through additional EXE oxygen DLL charge . There are three malicious AHK book which can contain out different action , In this subject , threat protagonist practice the TeamViewer DLL face lade technology ( htv.ahk ) and this technique take into account assaulter to impart Thomas More functionality to the TeamViewer .
1e741ebc08af09edc69f017e170b9852 c6ae889f3bee42cc19a728ba66fa3d99 1675cdec4c0ff49993a1fcbdfad85e56 72de32fa52cc2fab2b0584c26657820f 44038b936667f6ce2333af80086f877f Documents 4acf624ad87609d476180ecc4c96c355 4dbe9dbfb53438d9ce410535355cd973 C&Cs 1c - ru[.]net / suss out / permit intersys32[.]com/3307/ gate.php 185.70.186[.]145 / gate.php 185.70.186[.]145 / index.php 193.109.69[.]5/3307 / gate.php 193.109.69[.]5/9125 / gate.php 146.0.72[.]180/3307/ 146.0.72[.]180 / newcpanel_gate / base on the Telemetry Record , this tone-beginning butt commonwealth such as Nepal , Guyana , Kenya , Italy , Liberia , Bermuda , Lebanon , populace sector monetary resource and public functionary . Indicator of Compromise DLLs 013e87b874477fcad54ada4fa0a274a2 799AB035023B655506C0D565996579B5 e1167cb7f3735d4edec5f7219cea64ef 6cc0218d2b93a243721b088f177d8e8f aad0d93a570e6230f843dcdf20041e1e outside presentation of loading execution harmonise to Checkpoint Research , erstwhile a malicious TeamViewer furnish distant access code , one of the showtime employment of AutoHotKey Scripts is to upload a screenshot from the regard microcomputer .