![]() ![]() #Get teamviewer windowsMsimg32.dll is a DLL library which is part of Windows OS. Tvr.cfg is TeamSpy’s configuration file and will be described later, msimg32.dll is the malware itself. As shown in the listing below, most of the files are regular, digitally signed TeamViewer binaries, with the exception of two files - msimg32.dll and tvr.cfg. With the help of the innounp utility, we were able to easily list or extract the files from the Inno Setup installer used by the malware. Although the attachment of the downloaded is a PNG, it is actually an EXE file, more specifically it is an Inno Setup installer protected by the password. The link,, is a legitimate Russian service for uploading and sharing files. The most important information is circled in red below and are a link, from which something is downloaded, and a password, which will be used later. ![]() If we look inside the malicious macro, we can see slightly obfuscated strings, usually split into one or more substrings, which are later concatenated. When the macros are enabled by the targeted person, the infection process begins, running completely in the background, so the victim doesn't notice anything. When the attachment is opened, the following screen appears: The attachment is an Excel file with macros. TeamSpy is spread via spam emails that are designed to trick people into opening an attachment. To make it more difficult for antivirus solutions to detect, some malware authors use popular remote control programs, like TeamViewer, instead to take advantage of their VPN network to better mask the communication between their malware and C&C servers. For this communication, malware authors usually implement a custom protocol, which can be easily spotted and distinguished from other traffic and thus blocked by antivirus solutions. C&C servers are also where malware sends back the data it collects. As the name suggests, a C&C server is the control center that sends out commands for malware to carry out. Most malware communicates with a command and control (C&C) server after infecting a device. We too have seen an uptick and have therefor decided to take a closer look. Heimdal Security recently reported that the malware has resurfaced with a targeted spam campaign. TeamSpy first appeared back in 2013, which is when CrySyS Lab and Kaspersky Lab published white papers about its operation. #Get teamviewer fullAfter that, the malware secretly installs TeamViewer, giving the cybercriminals full control of the infected computer. TeamSpy infects computers by tricking people into downloading a malicious attachment and enabling macros. The cybercriminals behind TeamSpy, unfortunately, also find the tool to be quite useful and use it to carry out malicious activity. TeamViewer, a remote control program, can be very handy when you need remote IT support. When you are finished speaking to the administrator, you will need to hit cancel or close out of the QuickSupport program.Analyzing TeamSpy, malware that gives hackers complete remote control of PCs. ![]() You can also exit the remote control session at any time by closing the TeamViewer window (pictured) that appears once you allow the administrator control of your machine. It is important to note that when you enter a remote control session, your desktop background will be black. The administrator does not have complete control but shared control. While the administrator is controlling your computer, you will still be able to move your mouse and use your keyboard. The "cancel" button has a countdown and if you do not allow the administrator access to your computer, your request will be denied. This is the screen you will see once an administrator requests control of your computer. NOTE – The program MUST BE OPEN for the CAE Help Desk to work on your computer. The description field needs to be filled by you. #Get teamviewer codeThe session code and name fields automatically populate (the name is based on the computer username). Once the program is launched, this is the screen you will see. #Get teamviewer downloadWhen you first click the link, you should see this screen. The program will automatically download to your computer and you will only need to download this one time. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |