After almost a four-year respite, the data-stealing TeamSpy malware has resurfaced, or at least that’s what a spam campaign detected over the weekend suggests, researchers say.
Researchers at the CrySyS Lab in Hungary originally identified the malware back in March 2013 when they traced it back to a years-long espionage campaign. At the time researchers surmised the attack, which was focused on high profile industrial, research, or diplomatic targets, may have been ongoing for up to 10 years.
Researchers from Danish firm Heimdal Security said on Monday they observed a new campaign launched over the weekend spreading the malware. The campaign relies heavily on spamming victims and tricking them into opening a rigged .zip file that’s disguised as an e-fax file.
Once the .zip file is opened, an .exe file that’s nested inside is activated and code – in the form of a malicious DLL (MSIMG32.dll) – is dropped onto the victim’s machine. The malware uses DLL hijacking to write system usernames and passwords to a text file, “Log%s#%.3u.txt,” and send them along to the attacker’s command-and-control server.
The malware, like incidents unearthed in 2013, includes components from the legitimate application TeamViewer, a remote support tool. While attackers previously blended TeamViewer components with malware modules, the most recent strain of attacks combines TeamViewer’s VPN tool with a keylogger.
According to Andra Zaharia, a security evangelist with the firm, a TeamViewer executable is among some of the files dropped into the victim’s %SystemDrive% file. TeamViewer .DLLs like TeamViewer_Resource_en.dll and TeamViewer_StaticRes.dll are also dropped.
According to Zaharia, the attack uses TeamViewer to thwart detection. By starting a TeamViewer session attackers can access encrypted content and sidestep two-factor authentication. All of this is done without the victim’s knowledge; the TeamViewer session makes the attackers practically invisible.
It’s unclear if this campaign is related to previously uncovered TeamSpy campaigns, but it wouldn’t be far fetched if the same group were involved.
CrySyS researchers said in 2013 there was a clear connection between samples it observed and that it was likely that one group was responsible for a series of campaigns it observed over a 10 year span targeting victims in the US, Canada, China and Brazil.
“The attackers use distinct tools for nearly every simple activity – this means that most likely the group is small and technically professional people carry out all types of activities, including strategic planning and executing the attacks,” CrySyS researchers said of the attacks at the time.
When reached on Tuesday a spokesperson for TeamViewer said the company was investigating Heimdal’s report but that it has no reason to assume a vulnerability in the software is in play.
“This is obviously a post-exploit action, so the real issue is the preceding malware infection,” TeamViewer said in a statement, adding that nonetheless users should still ensure they keep their software updated, avoid affiliate or bundles, and only download TeamViewer through official channels.