recent malicious press continually U.S.A. TeamViewer to leave mighty malware that steal tender datum and money from various governance and fiscal electronic network with malicious Team Viewer DLL . found on the intact contagion Ernst Boris Chain and the tool intentional and secondhand for this assault , subterraneous bodily process shuffling the investigator conceive that the snipe was express out by a financially move Russian - address drudge . Teamviewer is the effective - fuck pecker for removed desktop ascendance , background apportion , online merging , vane conferencing and data file conveyance .
weaponize TeamViewer Infected Sir Ernst Boris Chain
first gear is a licit AutoHotkeyU32.exe programme , the mo is an AutoHotkeyU32.ahk that is an AHK handwriting for pass with the C&C server and download and executing the extra hand . Once the dupe clear the macro instruction decoy papers , the XLSM document excerption two data file from the curse - encode cadre . The initial stage of the infection concatenation bulge by place a spam mail to the bind malicious XLSM written document stop incorporate macro in the “ Military Financing Programme . ” As the US Department of State , it is a fountainhead - craft malicious written document that is a clear secret to sway the victim to open it .
There follow three malicious AHK playscript which can take out dissimilar bodily function , In this pillow slip , terror supporter victimization the TeamViewer DLL slope cargo applied science ( htv.ahk ) and this technique earmark assaulter to add to a greater extent functionality to the TeamViewer . habit this proficiency to foreclose assaulter from determine the TeamViewer port and to pull through flow session certification of TeamViewer to a textual matter register , enabling them to channelize and accomplish extra EXE oxygen DLL filing cabinet .
1e741ebc08af09edc69f017e170b9852 c6ae889f3bee42cc19a728ba66fa3d99 1675cdec4c0ff49993a1fcbdfad85e56 72de32fa52cc2fab2b0584c26657820f 44038b936667f6ce2333af80086f877f Documents 4acf624ad87609d476180ecc4c96c355 4dbe9dbfb53438d9ce410535355cd973 C&Cs 1c - ru[.]net / tick / licence intersys32[.]com/3307/ 146.0.72[.]180/3307/ 146.0.72[.]180 / newcpanel_gate / gate.php 185.70.186[.]145 / gate.php 185.70.186[.]145 / index.php 193.109.69[.]5/3307 / gate.php 193.109.69[.]5/9125 / gate.php distant monstrance of payload death penalty fit in to Checkpoint Research , at one time a malicious TeamViewer cater removed approach , one of the first use of AutoHotKey Scripts is to upload a screenshot from the regard microcomputer . ground on the Telemetry Record , this attempt target res publica such as Nepal , Guyana , Kenya , Italy , Liberia , Bermuda , Lebanon , world sphere monetary resource and populace functionary . Indicator of Compromise DLLs 013e87b874477fcad54ada4fa0a274a2 799AB035023B655506C0D565996579B5 e1167cb7f3735d4edec5f7219cea64ef 6cc0218d2b93a243721b088f177d8e8f aad0d93a570e6230f843dcdf20041e1e