Cybercriminals distributing powerful malware that abuse legitimate remote administration tools such as TeamViewer & RMS to gain the victim’s system control remotely and steal money from the target organization.
Attackers continuously targeting the industrial companies in different origins since 2017 and still the malware campaign distributing into various organizations.
The main goal of the attack is to steal the money from the targeted organization by compromising them via remote administration software.
Also, cybercriminals using the various new technique to evade the detection in the targeted system. Once the malware installed, the attacker connected to the targeted system to find the purchase documents, as well as the financial and accounting software used.
Criminals later used those collected details to commit the financial fraud and try to make the payment by spoofing the bank details.
Researcher believes that at least 400 industrial companies in Russia have been targeted by this attack, including companies in the following industries:
After this case, attackers using various sophisticated malware in order to perform post exploitation such as privilege escalation and obtaining local administrator privileges, the theft of user authentication data for financial software and services, or Windows accounts for lateral movement.
The malware pack can incorporate spyware, extra remote organization utilities that expand the aggressors’ control of compromised systems, malware that can exploit the OS using various known vulnerabilities.
Initially, malware spreading via phishing email campaign with an attachment that posed to connection with finance and compromises victims to follow the link that leads to downloading malware from various sources.
The malware used in these attacks installs legitimate remote administration software – TeamViewer or Remote Manipulator System/Remote Utilities (RMS).
An attacker using various techniques to launch the malware into the victim’s machine as we discussed above, such as poisoning or specially crafted script for the Windows command interpreter.
Once the script copying the malicious files into the system then it deletes itself and launching the legitimate Remote Manipulator System/Remote Utilities (RMS) software that enables attackers to control the infected system.
Same as RMS, attackers also using Teamviewer, but this case, stolen data using Teamviewer send to malware command and control server unlike RMS which send the data via Email.
When the malware launches the RMS, it loads the DLL’s for some of the program operations to control the printers, also its loads DLL library insecurely that leads to conduct a DLL hijacking attack.
Aslo attacker modifying the Remote administrative tools executable file to make it available on the targeted system that helps to perform following actvities by attackers.
Later on infected machines name, username, the RMS machine’s Internet ID, etc will share into attacker via email that extracted from configuration files.
According to Kaspersky researcher, Hooking Windows API functions enables attackers to hide TeamViewer windows, protect malware files from being detected, and control TeamViewer startup parameters.
Finally Malware launching the configuration files that contains various parameter such as “the password used for remotely controlling the system, URL of the attackers’ command-and-control server, parameters of the service under whose name TeamViewer will be installed, the User-Agent field of the HTTP header used in requests sent to the command-and-control server, VPN parameters for TeamViewer, etc.”
Additional Malware families are capable of doing following malicious activities.
You can find the Indicator of compromise for these attacks using Remote administrative tools.
Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting victims…
The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ advanced…
A significant XSS vulnerability was recently uncovered in Microsoft’s Bing.com, potentially allowing attackers to execute…
Meta has announced the removal of over 2 million accounts connected to malicious activities, including…
Critical security vulnerability has been identified in Veritas Enterprise Vault, a widely-used archiving and content…
A critical security vulnerability has been disclosed in the popular file archiving tool 7-Zip, allowing…