Saturday, June 22, 2024

Malicious Hackers Abuse TeamViewer & RMS using Malware to Steal Money From Victim Organizations Accounts

Cybercriminals distributing powerful malware that abuse legitimate remote administration tools such as TeamViewer & RMS to gain the victim’s system control remotely and steal money from the target organization.

Attackers continuously targeting the industrial companies in different origins since 2017 and still the malware campaign distributing into various organizations.

The main goal of the attack is to steal the money from the targeted organization by compromising them via remote administration software.

Also, cybercriminals using the various new technique to evade the detection in the targeted system. Once the malware installed, the attacker connected to the targeted system to find the purchase documents, as well as the financial and accounting software used.

Criminals later used those collected details to commit the financial fraud and try to make the payment by spoofing the bank details.

Researcher believes that at least 400 industrial companies in Russia have been targeted by this attack, including companies in the following industries:

  • Manufacturing
  • Oil and gas
  • Metallurgy
  • Engineering
  • Energy
  • Construction
  • Mining
  • Logistics

After this case, attackers using various sophisticated malware in order to perform post exploitation such as privilege escalation and obtaining local administrator privileges, the theft of user authentication data for financial software and services, or Windows accounts for lateral movement.

The malware pack can incorporate spyware, extra remote organization utilities that expand the aggressors’ control of compromised systems, malware that can exploit the OS using various known vulnerabilities.

TeamViewer & RMS Infection Vector

Initially, malware spreading via phishing email campaign with an attachment that posed to connection with finance and compromises victims to follow the link that leads to downloading malware from various sources.

The malware used in these attacks installs legitimate remote administration software – TeamViewer or Remote Manipulator System/Remote Utilities (RMS).

An attacker using various techniques to launch the malware into the victim’s machine as we discussed above, such as poisoning or specially crafted script for the Windows command interpreter.

Once the script copying the malicious files into the system then it deletes itself and launching the legitimate Remote Manipulator System/Remote Utilities (RMS) software that enables attackers to control the infected system.

Same as RMS, attackers also using Teamviewer, but this case, stolen data using Teamviewer send to malware command and control server unlike RMS which send the data via Email.

When the malware launches the RMS, it loads the DLL’s for some of the program operations to control the printers, also its loads DLL library insecurely that leads to conduct a DLL hijacking attack.

Aslo attacker modifying the Remote administrative tools executable file to make it available on the targeted system that helps to perform following actvities by attackers.

  • Remotely controlling the system (RDP)
  • Transferring files to and from the infected system
  • Controlling power on the infected system
  • Remotely managing the processes of running application
  • Remote shell (command line)
  • Managing hardware
  • Capturing screenshots and screen videos
  • Recording sound and video from recording devices connected to the infected system
  • Remote management of the system registry

Later on infected machines name, username, the RMS machine’s Internet ID, etc will share into attacker via email that extracted from configuration files.

According to Kaspersky researcher, Hooking Windows API functions enables attackers to hide TeamViewer windows, protect malware files from being detected, and control TeamViewer startup parameters.

Finally Malware launching the configuration files that contains various parameter such as “the password used for remotely controlling the system, URL of the attackers’ command-and-control server, parameters of the service under whose name TeamViewer will be installed, the User-Agent field of the HTTP header used in requests sent to the command-and-control server, VPN parameters for TeamViewer, etc.”

Also, attackers using aditional malware to spyware to victim computers in order to collect logins and passwords for mailboxes, websites, SSH/FTP/Telnet clients, as well as logging keystrokes and taking screenshots.

Additional Malware families are capable of doing following malicious activities.

  • Logging keystrokes
  • Making screenshots
  • Collecting system information and information on installed programs and running processes
  • Downloading additional malicious files
  • Using the computer as a proxy server
  • Stealing passwords from popular programs and browsers
  • Stealing cryptocurrency wallets
  • Stealing Skype correspondence
  • Conducting DDoS attacks
  • Intercepting and spoofing user traffic
  • Sending any user files to the command-and-control server

You can find the Indicator of compromise for these attacks using Remote administrative tools.


Latest articles

PrestaShop Website Under Injection Attack Via Facebook Module

A critical vulnerability has been discovered in the "Facebook" module (pkfacebook) from for...

Beware Of Illegal OTT Platforms That Exposes Sensitive Personal Information

A recent rise in data breaches from illegal Chinese OTT platforms exposes that user...

Beware Of Zergeca Botnet with Advanced Scanning & Persistence Features

A new botnet named Zergeca has emerged, showcasing advanced capabilities that set it apart...

Mailcow Mail Server Vulnerability Let Attackers Execute Remote Code

Two critical vulnerabilities (CVE-2024-31204 and CVE-2024-30270) affecting Mailcow versions before 2024-04 allow attackers to...

Hackers Attacking Vaults, Buckets, And Secrets To Steal Data

Hackers target vaults, buckets, and secrets to access some of the most classified and...

Hackers Weaponizing Windows Shortcut Files for Phishing

LNK files, a shortcut file type in Windows OS, provide easy access to programs,...

New Highly Evasive SquidLoader Attacking Employees Mimic As Word Document

Researchers discovered a new malware loader named SquidLoader targeting Chinese organizations, which arrives as...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles