Internet threat level: 1
Home→Blog→Incidents→March 20 2013→The TeamSpy Crew Attacks - Abusing TeamViewer for Cyberespionage
The TeamSpy Crew Attacks - Abusing TeamViewer for Cyberespionage
Earlier today, the Laboratory of Cryptography and System Security (CrySyS Lab), together with the Hungarian National Security Authority (NBF), published details on a high profile targeted attack against Hungary. The details about the exact targets are not known and the incident remains classified.
Considering the implications of such an attack, Kaspersky Lab’s Global Research & Analysis Team performed a technical analysis of the campaign and related malware samples.
You can read our short FAQ below and you can download our technical analysis paper linked at the end of the blogpost.
What is it?
'TeamSpy' is a cyber-surveillance operation targeting high level political and human rights activists throughout CIS and Eastern European nations. Victims also include government agencies as well as private companies. The attacks have been ongoing for almost a decade and were previously mentioned by Belarussian activists in 2012.
Why call it TeamSpy?
The attackers control the victim’s computers remotely by using the legal remote administration tool TeamViewer. This application is signed with legitimate digital certificates and is used by more than 100 million users around the world. To avoid alerting the user that somebody is spying on him, the attackers dynamically patch TeamViewer in memory to remove all signs of its presence.
What does the malware do?
This is a surveillance/reconnaissance and data-theft operation. Sensitive stolen data includes:
- “Secret” content, secret/private crypto keys, passwords.
- Apple iOS device history data from iTunes.
- Detailed OS and BIOS information.
- Keylogging and screenshot captures.
What exactly is being stolen?
The attackers are interested in office documents and files (e.g., *.doc, *.rtf, *.xls, *.mdb), pdf files (*.pdf), disk images (e.g., *.tc, *.vmdk), as well as files that potentially contain sensitive information such as encryption keys (e.g.,*. pgp, *.p12) and passwords (e.g., *pass*, *secret*, *saidumlo*, *секрет*.* and *парол*.*).
What is “saidumlo”?
“Secret”, in Georgian. “секрет” means “secret” in Russian, while “парол” means “password”.
How can organizations protect themselves against this particular attack?
1. Scan for the presence of the “teamviewer.exe” application.
2. Block access to the known command-and-control domains and IP addresses. (see our full technical paper)
3. Implement a rigid patch-management plan throughout the organization. This operation includes the use of popular exploit kits that targets known desktop software security vulnerabilities.
For more details, read our analysis of the TeamSpy attacks.
|
2013 Mar 21, 13:55
TeamSpy Crew. Hi Securelist |
|
1 |
Re: TeamSpy Crew.
Mark, thanks for the kind words!
At the moment, there are no clear indications this is the work of a nation state. We do not know who is behind the attack; in general, we don't do attribution and we believe it is the job of law enforcement to investigate such incidents!
|
1 |
Re: Re: TeamSpy Crew.
Hi Costin Raiu
Thank You for the reply,
i do have a question of sorts about the PDF that we can view at the end of your post,
i have downloaded this and it makes for a very interesting read about the subject at hand and the team behind these attacks,
but what i was wondering about is that on page 37 of the PDF File that i have read it also mentions you know about the different file formats that it looks for,
one of the file names got me interested and curious,
it was the part that says about the virtual machine disk files,
Does this mean that there is even a slight possibility that the created virus could potentially bypass a VMWare computer or decrypt/steal .vmdk information as well,
<""i don't know loads on VMWare only other than that they can be good in stopping virus's and looking for them as well, as well as protecting your original OS, [don't know if i have got that right or not though]"">
Thank You
look forwards to your reply
mark117
|
1 |
|
2013 Mar 21, 13:57
looking forwards i also look forwards to any and all follow ups that you do on this. |
2013 Mar 21, 19:13
Teamviewer pings Teamviewer pings on regulary basis (while turned off) to their servers. I saw that on my linux maschine researching something other on wireshark. Could anyone confirm this. Sorry for another thema. |
|
2 |
Re: Teamviewer pings
Hi fp!
Thanks for the comment!
To be honest, Teamviewer doesn't ping the servers, instead, the malware posts the latest TV ID to the C2. The attacks can then use the TV infrastructure to connect to the victim based on he ID/pw. I think the TV server does ping the TV infrastructure every now and then to announce it is live, though.
|
1 |
Re: Re: Teamviewer pings
I am sorry that I gone from the main topic, this have nothing to do with this malware I think. In fact I said that regular Teamviewer application on ubuntu contact own infrastructure (teamviwever servers) without even be turned on (Program doesent run and I don't run it as a service neither, pure deb install). I watched wireshark for another reason and saw this.
Edited by fp, 2013 Mar 22, 01:13
|
2013 Mar 31, 08:56
Congrats! Really a very good research job! |
|
2013 Apr 03, 13:32
How can we DELETE and REMOVE TEAMVIEWER from my pc completely? |
|
0 |
Re:
Hi buyurhaci, this is not a blog of that topic, but you can remove it using tools like Total Uninstall, hope this helps.
|
2013 May 22, 10:53
Hi there, |
Related Links
Analysis
Blog
© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.