We saw that the tool was trojanized by adding a malicious DLL to a legitimate version to be loaded onto a victim’s device. ![]() Malware developers have been known to use the tool to deliver backdoors and keyloggers in a similar way as far back as 2016. This type of TeamViewer misuse is not new. (Note: %User Temp% is the current user's Temp folder %User Startup% is the current user's Startup folder)įigure 2. %User Temp%\PmIgYzA\TeamViewer_Resource_fr.dll.%User Startup%\Gateway Layer 1.3957.lnk (shortcut link to dropped TeamViewer.exe).%User Temp%\PmIgYzA\TV.dll (malicious payload). ![]() ![]() If successfully downloaded and executed on a victim’s device, the trojan spy creates the folder %User Temp%\PmIgYzA and drops the following files: Upon further analysis of the archive, we found that it is trojan spyware (detected by Trend Micro as ) that gathers and steals data disguised as TeamViewer. The URL is an open directory that leads would-be victims to a malicious self-extracting archive. On January 20, a security researcher going by FewAtoms spotted a malicious URL in the wild. ![]() Recently, we investigated another case of misuse. Unfortunately, its power as an enterprise tool also makes it popular for cybercriminals, and TeamViewer has, in fact, been used in a range of cybercriminal operations from account abuse hacking to phishing schemes. TeamViewer is a file-sharing and communication program that also lets IT teams remotely access devices of enterprise employees.
0 Comments
Leave a Reply. |