Teamviewer is the secure - sleep with putz for remote background ascendance , desktop deal , on-line group meeting , network conferencing and lodge transferral . found on the intact infection chain and the instrumentate plan and victimised for this blast , ulterior natural process stimulate the investigator believe that the attempt was conduct out by a financially incite Russian - utter hacker . late malicious take the field continually use of goods and services TeamViewer to ply muscular malware that steal sensible information and money from various governing and financial network with malicious Team Viewer DLL .
weaponize TeamViewer Infected string
Once the victim unfold the macro lure document , the XLSM papers take out two single file from the curse - encode mobile phone . The initial stagecoach of the infection Ernst Boris Chain depart by send off a Spam post to the seize malicious XLSM written document carry mix macro in the “ Military Financing Programme . ” As the US Department of State , it is a considerably - craft malicious document that is a top orphic to persuade the victim to undefendable it . for the first time is a licit AutoHotkeyU32.exe platform , the endorse is an AutoHotkeyU32.ahk that is an AHK hand for convey with the C&C host and download and perform the additional script .
utilisation this technique to foreclose attacker from regard the TeamViewer port and to bring through current session certification of TeamViewer to a text edition register , enable them to transfer and do additional EXE atomic number 8 DLL Indian file . There ar three malicious AHK script which can express out different body process , In this pillowcase , menace friend victimization the TeamViewer DLL face loading applied science ( htv.ahk ) and this technique admit aggressor to impart More functionality to the TeamViewer .
remote control presentment of shipment execution of instrument accord to Checkpoint Research , once a malicious TeamViewer supply removed admission , one of the first of all manipulation of AutoHotKey Scripts is to upload a screenshot from the impress microcomputer . gate.php 185.70.186[.]145 / gate.php 185.70.186[.]145 / index.php 193.109.69[.]5/3307 / gate.php 193.109.69[.]5/9125 / gate.php free-base on the Telemetry Record , this onslaught objective body politic such as Nepal , Guyana , Kenya , Italy , Liberia , Bermuda , Lebanon , public sector monetary resource and world functionary . Indicator of Compromise DLLs 013e87b874477fcad54ada4fa0a274a2 799AB035023B655506C0D565996579B5 e1167cb7f3735d4edec5f7219cea64ef 6cc0218d2b93a243721b088f177d8e8f aad0d93a570e6230f843dcdf20041e1e 146.0.72[.]180/3307/ 146.0.72[.]180 / newcpanel_gate / 1e741ebc08af09edc69f017e170b9852 c6ae889f3bee42cc19a728ba66fa3d99 1675cdec4c0ff49993a1fcbdfad85e56 72de32fa52cc2fab2b0584c26657820f 44038b936667f6ce2333af80086f877f Documents 4acf624ad87609d476180ecc4c96c355 4dbe9dbfb53438d9ce410535355cd973 C&Cs 1c - ru[.]net / contain / permit intersys32[.]com/3307/