TeamSpy malware is back, it transforms TeamViewer into a spying software

Security experts from Heimdal Security discovered a new spam campaign over the weekend leveraging the TeamSpy malware to spy in victims.

Security experts from Heimdal Security have uncovered a new spam campaign emerged over the weekend. The crooks used the notorious TeamSpy malware to gain full access to the target computers.

It’s a long time we have no news about the TeamSpy malware, it made the headlines in 2013 when security researchers at Hungary-based CrySyS Lab discovered a decade-long cyber espionage campaign that targeted high-level political and industrial entities in Eastern Europe.

The attackers, dubbed by security researchers TeamSpy, used the popular remote-access program TeamViewer and a specially crafted malware to steal secret documents and encryption keys from victims.

Back to the present, the last wave of attacks exploited social engineering attacks to trick victims into installing the TeamSpy malware.

Malware authors used DLL hijacking to execute unauthorized actions through legitimate software.

The attach chain starts with spam email using the .zip file attachments such as:

Fax_02755665224.zip -> Fax_02755665224.EXE

When the victim opens the zip archive it executes the accompanying .exe file which drops the TeamSpy malware onto the victim’s computer, as a malicious DLL:

[% APPDATA%] \ SysplanNT \ MSIMG32.dll. That library then recorded via C: \ Windows \ system32 \ regsvr32. exe “/ s” [% APPDATA%] \ SysplanNT \ MSIMG32.dll

According to the researchers, the TeamSpy malware includes various components in the otherwise legitimate TeamViewer application, two of them are keylogger and a TeamViewer VPN.

The attacks discovered by Heimdal security are very insidious for victims that will be not able to detect them.

“Given how the TeamSpy infection happens, it is clear that a TeamViewer session started by the attackers will be invisible to the victim. This can lead to numerous forms of abuse against the services that the logged in user runs on his/her computer.” states the analysis shared by Heimdal Security.

“This attack can also circumvent two-factor authentication and can also give cybercriminals access to encrypted content which is unencrypted by the users on their compromised computers.”

At the time I was writing the majority of Antivirus software is not able to detect this variant of the TeamSpy malware, it has a detection rate of 15/58 on VirusTotal.

As usual, let me suggest to avoid opening unwanted emails that you receive and that you don’t open email attachments from unknown senders.

“We highly recommend that you carefully analyze unwanted emails that you receive and that you don’t download email attachments from unknown senders. Malware can disguise itself in many forms on the web, and all it takes is one click to trigger an infection.” concluded the analysis.

I was contacted by a TeamViewer spokesman that confirmed me the absence of a flaw in the company software

“The outlined scenario is a post-exploitation action; so, the preceding malware infection is the real threat.We have no evidence to assume a vulnerability of our software. In fact, it is worth highlighting as Heimdal’s Security Evangelist, Andra Zaharia, stresses in her blog post: “[W]e have to mention that TeamViewer has not been compromised and is entirely safe to use […] ” said the spokesman.

Below the standard recommendations to avoid the infection:

Users should always keep their software updated, and be certain that patches are installed.
Users should avoid all affiliate or adware bundles: While users may think they are just downloading a harmless program, the software could in fact install something else. In many cases, this may just be an irksome browser extension; however, it may also turn out to be malware that can cause extensive damage.
Users ought to download TeamViewer only through the official TeamViewer channels.
Users should make sure to have reliable anti-malware and security solutions in place.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – cyber espionage, Teamspy malware)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.