Malicious Hackers Abuse TeamViewer & RMS using Malware to Steal Money From Victim Organizations Accounts

Cybercriminals distributing powerful malware that abuse legitimate remote administration tools such as TeamViewer & RMS to gain the victim’s system control remotely and steal money from the target organization.

Attackers continuously targeting the industrial companies in different origins since 2017 and still the malware campaign distributing into various organizations.

The main goal of the attack is to steal the money from the targeted organization by compromising them via remote administration software.

Also, cybercriminals using the various new technique to evade the detection in the targeted system. Once the malware installed, the attacker connected to the targeted system to find the purchase documents, as well as the financial and accounting software used.

Criminals later used those collected details to commit the financial fraud and try to make the payment by spoofing the bank details.

Researcher believes that at least 400 industrial companies in Russia have been targeted by this attack, including companies in the following industries:

• Manufacturing
• Oil and gas
• Metallurgy
• Engineering
• Energy
• Construction
• Mining
• Logistics

After this case, attackers using various sophisticated malware in order to perform post exploitation such as privilege escalation and obtaining local administrator privileges, the theft of user authentication data for financial software and services, or Windows accounts for lateral movement.

The malware pack can incorporate spyware, extra remote organization utilities that expand the aggressors’ control of compromised systems, malware that can exploit the OS using various known vulnerabilities.

TeamViewer & RMS Infection Vector

Initially, malware spreading via phishing email campaign with an attachment that posed to connection with finance and compromises victims to follow the link that leads to downloading malware from various sources.

The malware used in these attacks installs legitimate remote administration software – TeamViewer or Remote Manipulator System/Remote Utilities (RMS).

An attacker using various techniques to launch the malware into the victim’s machine as we discussed above, such as poisoning or specially crafted script for the Windows command interpreter.

Once the script copying the malicious files into the system then it deletes itself and launching the legitimate Remote Manipulator System/Remote Utilities (RMS) software that enables attackers to control the infected system.

Same as RMS, attackers also using Teamviewer, but this case, stolen data using Teamviewer send to malware command and control server unlike RMS which send the data via Email.

When the malware launches the RMS, it loads the DLL’s for some of the program operations to control the printers, also its loads DLL library insecurely that leads to conduct a DLL hijacking attack.

Aslo attacker modifying the Remote administrative tools executable file to make it available on the targeted system that helps to perform following actvities by attackers.

• Remotely controlling the system (RDP)
• Transferring files to and from the infected system
• Controlling power on the infected system
• Remotely managing the processes of running application
• Remote shell (command line)
• Managing hardware
• Capturing screenshots and screen videos
• Recording sound and video from recording devices connected to the infected system
• Remote management of the system registry

Later on infected machines name, username, the RMS machine’s Internet ID, etc will share into attacker via email that extracted from configuration files.

According to Kaspersky researcher, Hooking Windows API functions enables attackers to hide TeamViewer windows, protect malware files from being detected, and control TeamViewer startup parameters.

Finally Malware launching the configuration files that contains various parameter such as “the password used for remotely controlling the system, URL of the attackers’ command-and-control server, parameters of the service under whose name TeamViewer will be installed, the User-Agent field of the HTTP header used in requests sent to the command-and-control server, VPN parameters for TeamViewer, etc.”