Check Point: A Russian Hacker, EvaPiks, is attacking governments with a trojanized TeamViewer. Targets include Nepal, Guyana, Kenya, Italy, Liberia, Bermuda and Lebanon
Someone is targeting officials within governments and representatives in several embassies worldwide with trojanized TeamViewer. It has been discovered by Check Point cyber security experts. The partial list of countries, where officials were targeted, include Nepal, Guyana, Kenya, Italy, Liberia, Bermuda and Lebanon. The attacks start with a malicious attachment disguised as a top secret US document. Inside there is a weaponizd version of the popular remote access and desktop sharing software. The aim is to gain full control of the infected computer. By investigating the entire infection chain and attack infrastructure, the researchers were able to track previous operations that share many characteristics with this attack’s inner workings. They also came across an online avatar of a Russian speaking hacker, EvaPiks, who seems to be in charge of the tools developed and used in this attack.
The cyber security experts: The lure is a well-crafted (but fake) US DoS top secret document
According to Check Point, the well-crafted document used as a lure bears the logo of the U.S Department of State (DoS), and is marked as Top Secret. Although the attackers have worked hard to make it appear convincing, they seem to have overlooked some Cyrillic artifacts (such as the Workbook name) that were left in the document, and could potentially reveal more information about the source of this attack. Once the macros are enabled, two files are extracted from hex encoded cells within the XLSM document: A legitimate AutoHotkeyU32.exe program, and an AutoHotkeyU32.ahk→an AHK script, which sends a POST request to the C&C server and can receive additional AHK script URLs to download and execute. The malicious TeamViewer DLL (TV.DLL) is loaded via the DLL side-loading technique, and is used to add more “functionality” to TeamViewer by hooking windows APIs called by the program.
The observed victims list reveals a particular interest of the attacker in the public financial sector
The cyber security experts revealed that the modified TeamViewer functions include hiding it’s interface, so that the user would not know it is running; saving the current session credentials to a text file, and allowing the transfer and execution of additional EXE or DLL files. According to Check Point, it is hard to tell if there are geopolitical motives behind this campaign by looking solely at the list of countries it was targeting, since it was not after a specific region and the victims came from different places in the world. Nevertheless, the observed victims list reveals a particular interest of the attacker in the public financial sector, as they all appear to be handpicked government officials from several revenue authorities.