A report has indicated that a backdoor Trojan has been abusing a legitimate TeamViewer remote access tool enabling the hacker to spy on unsuspecting victims. The research was conducted by the Doctor Web security researchers.
There has been many cases of malware that can be used to leverage the remote control utility and the disclosure of one more malware shows that cuber thieves are always looking at ways to take advantage of the system and abuse it. The Trojan which works under the code name Spy-Agent actually installs legitimate TeamViewer components onto the compromised machines which makes them able to use against the unsuspecting victims.
Doctor Web says that the authors of the program that is on the market right now might had been creating it from as long back as 2011. The security firm also believes that the cyber thieves were also releasing modified versions of the malware periodically from 2011. The company also noted that Spy-Agent was also the name of the Trojan’s system management interface.
The TeamViewerENT program is a multi-component Trojan. The program is used for nefarious processes primarily being able to perform spying operations on its victims. The malware’s main payload is put on the avicap32.dll memory library. This is what makes it easy for TeamViewer to actually be of use.
The library is then loaded in the same folder as that of the original executable which means it can be loaded immediately. This allows the program yo abuse the Windows function whereby when a certain program needs a dynamic library, the system will search for it from the library it was initially initiated from. Only after that is the folder looked for in the Windows system directory.
The research showed that after launch, the TeamViewer program would start with some standard operations so as to camouflage itself and changes all the error messages that might be accompanied by the program. It also changes the files it gets from TeamViewer to “system”, “hidden”, and “read-only.”
If the Windows Task Manager is detected, the malware will automatically kill the TeamViewer program. The Trojan will also in some cases download any missing TeamViewer files and components so that it can used without any glitches.
In the investigation by the Doctor Web security researchers, they noticed that the Trojan’s operators were switching their targets from time to time. The researchers say that back in July the Trojan targeted users primarily located in Great Britain and Spain, but after August, it had shifted its focus over to the USA. Some cases of the Trojan’s presence were also noted in Russia.