English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

The TeamSpy Crew Attacks - Abusing TeamViewer for Cyberespionage

GReAT
Kaspersky Lab Expert
Posted March 20, 17:23  GMT
Tags: Website Hacks, Targeted Attacks
0.5
 

Earlier today, the Laboratory of Cryptography and System Security (CrySyS Lab), together with the Hungarian National Security Authority (NBF), published details on a high profile targeted attack against Hungary. The details about the exact targets are not known and the incident remains classified.

Considering the implications of such an attack, Kaspersky Lab’s Global Research & Analysis Team performed a technical analysis of the campaign and related malware samples.

You can read our short FAQ below and you can download our technical analysis paper linked at the end of the blogpost.

What is it?

'TeamSpy' is a cyber-surveillance operation targeting high level political and human rights activists throughout CIS and Eastern European nations. Victims also include government agencies as well as private companies. The attacks have been ongoing for almost a decade and were previously mentioned by Belarussian activists in 2012.

Why call it TeamSpy?

The attackers control the victim’s computers remotely by using the legal remote administration tool TeamViewer. This application is signed with legitimate digital certificates and is used by more than 100 million users around the world. To avoid alerting the user that somebody is spying on him, the attackers dynamically patch TeamViewer in memory to remove all signs of its presence.

What does the malware do?

This is a surveillance/reconnaissance and data-theft operation. Sensitive stolen data includes:

- “Secret” content, secret/private crypto keys, passwords.
- Apple iOS device history data from iTunes.
- Detailed OS and BIOS information.
- Keylogging and screenshot captures.

What exactly is being stolen?

The attackers are interested in office documents and files (e.g., *.doc, *.rtf, *.xls, *.mdb), pdf files (*.pdf), disk images (e.g., *.tc, *.vmdk), as well as files that potentially contain sensitive information such as encryption keys (e.g.,*. pgp, *.p12) and passwords (e.g., *pass*, *secret*, *saidumlo*, *секрет*.* and *парол*.*).

What is “saidumlo”?

“Secret”, in Georgian. “секрет” means “secret” in Russian, while “парол” means “password”.

How can organizations protect themselves against this particular attack?


1. Scan for the presence of the “teamviewer.exe” application.
2. Block access to the known command-and-control domains and IP addresses. (see our full technical paper)
3. Implement a rigid patch-management plan throughout the organization. This operation includes the use of popular exploit kits that targets known desktop software security vulnerabilities.

For more details, read our analysis of the TeamSpy attacks.


12 comments

Oldest first
Threaded view
 

mark117

2013 Mar 21, 13:55
1
 

TeamSpy Crew.

Hi Securelist
1stly.
<""you guys at GReAT do a really brilliant job of bringing to us the people,
any info on the latest threats and virus's as well as spywares and any and all general nastiness that is out there online as well as at home on the desktop and or OS's,"">
------------------------------------------------------------------------
2ndly.
right my only other question is that,
do you think that this could be linked to a nation state, a government that has set these guys to work on spying for them in order to commit crimes and get to any national secrets and passwords as well as ID's and the like,
-------------------------------
you guys do an amazing job,
That is why i drop by here at least 3 to 4 + times a day, to get the scoop on the latest threats and the evaluations that you do are really in depth and come in real help to all of us of that i am sure,
so from me to you
a real big
Thank You
mark117

Reply    

Costin Raiu

2013 Mar 21, 16:12
1
 

Re: TeamSpy Crew.

Mark, thanks for the kind words!
At the moment, there are no clear indications this is the work of a nation state. We do not know who is behind the attack; in general, we don't do attribution and we believe it is the job of law enforcement to investigate such incidents!

Reply    

mark117

2013 Mar 21, 16:31
1
 

Re: Re: TeamSpy Crew.

Hi Costin Raiu

Thank You for the reply,
i do have a question of sorts about the PDF that we can view at the end of your post,
i have downloaded this and it makes for a very interesting read about the subject at hand and the team behind these attacks,
but what i was wondering about is that on page 37 of the PDF File that i have read it also mentions you know about the different file formats that it looks for,
one of the file names got me interested and curious,
it was the part that says about the virtual machine disk files,
Does this mean that there is even a slight possibility that the created virus could potentially bypass a VMWare computer or decrypt/steal .vmdk information as well,

<""i don't know loads on VMWare only other than that they can be good in stopping virus's and looking for them as well, as well as protecting your original OS, [don't know if i have got that right or not though]"">

Thank You
look forwards to your reply
mark117

Reply    

Costin Raiu

2013 Mar 21, 21:40
1
 

Re: Re: Re: TeamSpy Crew.

Hi Mark!

Yes, it does appear to steal VMWare disk image files.

Reply    

mark117

2013 Mar 21, 13:57
0
 

looking forwards

i also look forwards to any and all follow ups that you do on this.
Thank You
mark117

Reply    

fp

2013 Mar 21, 19:13
1
 

Teamviewer pings

Teamviewer pings on regulary basis (while turned off) to their servers. I saw that on my linux maschine researching something other on wireshark. Could anyone confirm this. Sorry for another thema.

Reply    

Costin Raiu

2013 Mar 21, 21:39
2
 

Re: Teamviewer pings

Hi fp!

Thanks for the comment!

To be honest, Teamviewer doesn't ping the servers, instead, the malware posts the latest TV ID to the C2. The attacks can then use the TV infrastructure to connect to the victim based on he ID/pw. I think the TV server does ping the TV infrastructure every now and then to announce it is live, though.

Reply    

fp

2013 Mar 22, 00:53
1
 

Re: Re: Teamviewer pings

I am sorry that I gone from the main topic, this have nothing to do with this malware I think. In fact I said that regular Teamviewer application on ubuntu contact own infrastructure (teamviwever servers) without even be turned on (Program doesent run and I don't run it as a service neither, pure deb install). I watched wireshark for another reason and saw this.

Edited by fp, 2013 Mar 22, 01:13

Reply    

Galoget Latorre

2013 Mar 31, 08:56
0
 

Congrats!

Really a very good research job!

Your article is good way to learn more about cybersecurity threats.

Thanks

Galoget

Reply    

buyurhaci

2013 Apr 03, 13:32
0
 

How can we DELETE and REMOVE TEAMVIEWER from my pc completely?

Reply    

Galoget Latorre

2013 Apr 08, 12:39
0
 

Re:

Hi buyurhaci, this is not a blog of that topic, but you can remove it using tools like Total Uninstall, hope this helps.

Reply    

Bulava

2013 May 22, 10:53
0
 

Hi there,
It is still not clear to me how I can get infected.
If I downloaded TeamViewer package from official website, am I still at risk?

Thank you.

Reply    
If you would like to comment on this article you must first
login


Bookmark and Share
Share

Related Links

Analysis

Blog