TeamSpy the Malware Stealing Data Reappears
According to security researchers, TeamSpy the data-stealing malicious program is back following a gap of nearly 4-yrs, as found in one spam campaign spotted during the weekend of the week of February 13.
Hungary-based CrySyS Laboratory first detected TeamSpy during March 2013 at the time the security company associated it with an espionage campaign going on for a year. CrySyS' security researchers deduced the espionage as targeting specifically top diplomatic, research and industrial entities.
At present, TeamSpy's attackers employ social engineering while so dupe victims that they would load the malicious program. For this the attackers use the method of DLL hijacking that manipulates lawful software into carrying out unauthorized activities.
During the attack, the attackers begin one TeamViewer session which victims can't actually see. Consequently, exploitation of various kinds can occur of the services which an end-user who has logged into his PC runs. The purpose of TeamViewer here is for making detection impossible. There's also bypassing of dual-factor authentication while the attack could as well enable the attackers gain admission into encrypted content on the infected PCs. Infosecurity-magazine.com posted this, February 20, 2017.
Attackers largely spam victims while dupe them in a way that they would view one malware-laden .zip file which is masked to appear certain e-fax file. On opening the zipped archive, an executable rigging it gets activated while certain code as a malevolent DLL gets planted onto on the victim's computer. Relying on DLL hijacking, the malicious program writes the usernames and passwords of the tainted system onto Log%s#%.3u.txt which's one text file that's subsequently transmitted to the remote C&C infrastructure of the attackers.
TeamViewer spokesperson stated his organization was studying the report by Heimdal while it thinks there's no security flaw affecting the software. There can be any form malware disguises into while a single click is enough to start off infection.
TeamViewer explains the above action is naturally post exploitation; therefore the actual problem happens to be what precedes the infection. Nevertheless, end-users must continue to make sure all their software is up-to-date, do not rely on affiliate but take down TeamViewer solely from authorized sources.
» SPAMfighter News - 24-02-2017