Saturday, January 25, 2025
HomeCyber Security NewsRussian Hackers Bypass EDR to Deliver a Weaponized TeamViewer Component

Russian Hackers Bypass EDR to Deliver a Weaponized TeamViewer Component

Published on

SIEM as a Service

Follow Us on Google News

TeamViewer’s popularity and remote access capabilities make it an attractive target for those seeking to compromise systems for their gain.

Threat actors target TeamViewer for their illicit purposes because it is a widely used remote desktop software with potential security weaknesses. 

Exploiting vulnerabilities in TeamViewer can provide unauthorized access to systems and sensitive data, enabling cybercriminals to carry out various malicious activities, such as data theft, financial fraud, or even using compromised systems to launch attacks on other targets.

In late 2022, QiAnXin Threat Intelligence Center identified a new threat actor group using fake software download sites with manipulated search rankings to distribute unofficial but seemingly valid installation packages created with Inno Setup.

Russian Hackers Bypass EDR

Attribution was challenging due to the attackers’ complex attack chain and manual operations. 

In mid-2023, TeamViewer’s DLL Sideloading was delivered via SFTP, hinting at a connection to the attacks on security researchers in 2021.

Phishing activity timeline
Phishing activity timeline (Source – Qianxin)

The execution chain focuses on SSH reverse tunnels, leveraging OpenSSH to bypass EDR endpoint detection. 

Attackers employed sftp-server.exe to deliver the TeamViewer hijacking component, revealing the use of MINEBRIDGE RAT. 

AnyDesk and PsExec were also used for lateral propagation, with data decryption occurring within the victim’s user context.

Attack chain
Attack chain (Source – Qianxin)

In total, four legitimate signatures were used in this phishing operation, some still valid in the report, with an enigmatic use of Amadey Trojan.

  • GUTON LLC: FC2BDF5BD23470669F63B9A5BAE6305160DCBC67
  • NTB CONSULTING SERVICES INC: A05536924F1BA8F99BA6B1AA3C97B809E32A477E
  • OOO RIMMA: A1C753F5271F24B8067AC864BB4192C37265840C
  • KATEN LLC: 9A865A28A85CABC3F79C88BE54AF3B20962BC35C

Researchers uncovered a new MINEBRIDGE RAT variant with LLVM obfuscation, removing old C&C instructions. 

The sample retrieves a DLL from the server to execute PowerShell commands for SSH component download, consistent with previous scripts.

Attribution

The group has been active since 2021 based on domain registration times. They used Cloudflare CDN to obscure their IP, but few OSINT reports on MINEBRIDGE made tracking challenging.

QiAnXin’s data shows that the malicious domains communicated with both corporate dedicated lines and home broadband in mainland China during their Cloudflare CDN phase.

The enterprises involved were in the following sectors:-

  • Cryptocurrency
  • Electronic components
  • Technology
  • Investment
  • Healthcare

Recent findings suggest Storm-0978 (RomCom), TA505, and MINEBRIDGE have strong connections, possibly indicating shared activities beyond economic motivations.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Subaru’s STARLINK Connected Car’s Vulnerability Let Attackers Gain Restricted Access

In a groundbreaking discovery on November 20, 2024, cybersecurity researchers Shubham Shah and a...

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

Juniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor

A sophisticated cyber campaign dubbed "J-magic" has been discovered targeting enterprise-grade Juniper routers with...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

PayPal Fined $2 Million Fine For Violating Cybersecurity Regulations

The New York State Department of Financial Services (NYDFS) has imposed a $2 million...