Earlier today, the Laboratory of Cryptography and System Security (CrySyS Lab), together with the Hungarian National Security Authority (NBF), published details on a high profile targeted attack against Hungary. The details about the exact targets are not known and the incident remains classified.
Considering the implications of such an attack, Kaspersky Lab’s Global Research & Analysis Team performed a technical analysis of the campaign and related malware samples.
'TeamSpy' is a cyber-surveillance operation targeting high level political and human rights activists throughout CIS and Eastern European nations. Victims also include government agencies as well as private companies. The attacks have been ongoing for almost a decade and were previously mentioned by Belarussian activists in 2012.
The attackers control the victim’s computers remotely by using the legal remote administration tool TeamViewer. This application is signed with legitimate digital certificates and is used by more than 100 million users around the world. To avoid alerting the user that somebody is spying on him, the attackers dynamically patch TeamViewer in memory to remove all signs of its presence.
This is a surveillance/reconnaissance and data-theft operation. Sensitive stolen data includes:
- “Secret” content, secret/private crypto keys, passwords.
- Apple iOS device history data from iTunes.
- Detailed OS and BIOS information.
- Keylogging and screenshot captures.
The attackers are interested in office documents and files (e.g., *.doc, *.rtf, *.xls, *.mdb), pdf files (*.pdf), disk images (e.g., *.tc, *.vmdk), as well as files that potentially contain sensitive information such as encryption keys (e.g.,*. pgp, *.p12) and passwords (e.g., *pass*, *secret*, *saidumlo*, *секрет*.* and *парол*.*).
“Secret”, in Georgian. “секрет” means “secret” in Russian, while “парол” means “password”.
For more details, read our analysis of the TeamSpy attacks.
2013 Mar 21, 13:55
Re: TeamSpy Crew.
Mark, thanks for the kind words!
At the moment, there are no clear indications this is the work of a nation state. We do not know who is behind the attack; in general, we don't do attribution and we believe it is the job of law enforcement to investigate such incidents!
Re: Re: TeamSpy Crew.
Hi Costin Raiu
Thank You for the reply,
i do have a question of sorts about the PDF that we can view at the end of your post,
i have downloaded this and it makes for a very interesting read about the subject at hand and the team behind these attacks,
but what i was wondering about is that on page 37 of the PDF File that i have read it also mentions you know about the different file formats that it looks for,
one of the file names got me interested and curious,
it was the part that says about the virtual machine disk files,
Does this mean that there is even a slight possibility that the created virus could potentially bypass a VMWare computer or decrypt/steal .vmdk information as well,
<""i don't know loads on VMWare only other than that they can be good in stopping virus's and looking for them as well, as well as protecting your original OS, [don't know if i have got that right or not though]"">
look forwards to your reply
Re: Re: Re: TeamSpy Crew.
Yes, it does appear to steal VMWare disk image files.
2013 Mar 21, 13:57
i also look forwards to any and all follow ups that you do on this.
2013 Mar 21, 19:13
Teamviewer pings on regulary basis (while turned off) to their servers. I saw that on my linux maschine researching something other on wireshark. Could anyone confirm this. Sorry for another thema.
Re: Teamviewer pings
Thanks for the comment!
To be honest, Teamviewer doesn't ping the servers, instead, the malware posts the latest TV ID to the C2. The attacks can then use the TV infrastructure to connect to the victim based on he ID/pw. I think the TV server does ping the TV infrastructure every now and then to announce it is live, though.
Re: Re: Teamviewer pings
I am sorry that I gone from the main topic, this have nothing to do with this malware I think. In fact I said that regular Teamviewer application on ubuntu contact own infrastructure (teamviwever servers) without even be turned on (Program doesent run and I don't run it as a service neither, pure deb install). I watched wireshark for another reason and saw this.
Edited by fp, 2013 Mar 22, 01:13
2013 Mar 31, 08:56
Really a very good research job!
2013 Apr 03, 13:32
How can we DELETE and REMOVE TEAMVIEWER from my pc completely?
Hi buyurhaci, this is not a blog of that topic, but you can remove it using tools like Total Uninstall, hope this helps.
2013 May 22, 10:53