Backdoor Abuses TeamViewer to Load Malicious Library

Monday, May 30, 2016

Ionut Arghire

Fa42af438e58b799189dd26386f5870f

Malicious programs have been long known to abuse TeamViewer to gain unauthorized access to infected machines, and a new piece of malware leverages the popular remote control tool in new ways, security firm Doctor Web has discovered.

Dubbed BackDoor.TeamViewer.49, the new Trojan was discovered by Dr. Web and Yandex earlier this month being distributed via a fake Flash Player update. The bogus update package, however, turns out to be a different malicious application called Trojan.MulDrop6.39120, which acts as a dropper, Dr. Web researchers say.

After landing on the target machine, the MulDrop6 Trojan installs the actual Flash Player, while also displaying a legitimate installation window for the popular plugin. In the background, however, the Trojan also covertly downloads TeamViewer, BackDoor.TeamViewer.49, and a necessary configuration file onto the compromised system. 

The newly observed BackDoor.TeamViewer.49 doesn’t leverage TeamViewer to get access to the user’s computer, since it has already managed to infiltrate the machine. As soon as the remote control app has been launched, the backdoor removes its icon from the Windows notification area, disables error reporting, and implements a mechanism that prevents it from being restarted.

The Trojan uses various internal functions of TeamViewer’s process and also abuses the fact that the application calls for a library called avicap32.dll. By creating a malicious library with the same name in the application’s folder, malware authors can have it automatically loaded to the memory at launch of TeamViewer.

The backdoor saves operational parameters in the configuration file and registers itself to autorun, which allows it to operate in infinite loop. It then hides its download folder, the malicious library, and the configuration file, while also assigning them the “system” attributes. If it fails, the Trojan starts removing the TeamViewer keys from the system registry.

Responsible for the backdoor’s malicious activity is an encrypted library hardcoded in the Trojan's body, which contains names of the servers from which instructions can be delivered. The Trojan can execute several commands on the infected machines and uses encryption when communicating with the server.

Doctor Web researchers say that the backdoor’s main functions are “to establish connection to the server (including authorization to it) and to redirect traffic from the server to the specified remote server via the infected computer.” This approach allows cybercriminals to remain anonymous on the Web when connecting to remote servers, because they can use infected computers as proxy servers.

TeamViewer has already published a statement on this issue, explaining that it is not a TeamViewer security breach, but a scenario in which a piece of malware abuses TeamViewer’s legitimate software. The real problem here is that, once it has infiltrated a computer, a malicious program allows perpetrators to virtually do anything.

"The perpetrators spread TeamViewer through a malware. This does not make TeamViewer a malware or vulnerable program. In fact, this procedure can be applied to any number of legitimate programs such as TeamViewer," the statement reads.

In February, CrowdStrike’s 2015 Global Threat Report revealed that TeamViewer malware has been used in cyber espionage operations. However, malicious programs intended solely for criminal purposes are abusing this legitimate application as well, including the Cherry Picker POS malware that was detailed in November last year.

*Updated to mention TeamViewer's statement.

19774
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.