Researchers have discovered a series of targeted attacks that have been hitting officials in the government finance agencies and embassies of a number of countries, including Bermuda, Italy, Lebanon, and Kenya. The attacks are using a rigged version of the legitimate TeamViewer app and malicious Excel spreadsheets to install malware and exfiltrate information from compromised machines.
The attacks have been ongoing since at least last year, and they employed several different versions of the malware. The goal of the campaign isn’t entirely clear, but researchers at Check Point, who uncovered the attacks, say there could be a political or financial motivation behind the attacks. The researchers were able to locate a server used by the attackers which was left exposed on the Internet and included screenshots taken from victims’ machines and other identifying information.
“It is hard to tell if there are geopolitical motives behind this campaign by looking solely at the list of countries it was targeting, since it was not after a specific region and the victims came from different places in the world,” the Check Point Research analysis of the attacks says.
“Nevertheless, the observed victims list reveals a particular interest of the attacker in the public financial sector, as they all appear to be handpicked government officials from several revenue authorities.”
Check Point’s researchers traced some of the tools used in the attacks to a user on a Russian cybercrime forum and there are some snippets of Russian in the malicious document delivered in the campaigns.
The attack begins with a malicious Excel document that is disguised as a confidential spreadsheet from the United States Department of State with military financing data. The document has some hidden data and encourages the victim to enable macros in order to view that information. Once that’s done, the infection chain begins with the extraction of two files from cells in the spreadsheet. Those files include the legitimate AutoHotkey macro program and an AutoHotkey script that reaches out to the remote command-and-control server and retrieves several other scripts. Those scripts allow the malware to take a screenshot of the victim’s machine, collect the victim’s username, and download the trojaned version of TeamViewer, a remote access app.
"Some aspects of this attack were carried out with less caution, and have exposed details that are usually well disguised in similar campaigns."
The TeamViewer DLL is side-loaded onto the machine and allows the remote attacker to harvest the victim’s TeamViewer credentials and install and run other files on the machine. Both the malware delivered and the delivery method itself have changed as the attack campaign has progressed.
“While all campaigns observed from this threat actor utilized a trojanized version of TeamViewer, the features of the malicious DLL have changed, and the first stage of the infection has evolved over time,” Check Point’s analysis says.
“The initial infection vector used by the threat actor also changed over time, during 2018 we have seen multiple uses of self-extracting archives instead of malicious documents with AutoHotKey, which displayed a decoy image to the user.”
Some versions of the malicious TeamViewer app used in these campaigns had the ability to delete themselves and copy select elements of the Chrome browser history, such as the URLs of any banks, e-commerce sites, and cryptocurrency sites the victim has visited. Although the attacker or attackers behind these campaigns clearly has some skill, mistakes were made along the way.
“On the one hand, from the findings we have described, this appears to be a well thought-out attack that carefully selects a handful of victims and uses tailored decoy content to match the interests of its target audience,” Check Point’s analysis says.
“On the other hand, some aspects of this attack were carried out with less caution, and have exposed details that are usually well disguised in similar campaigns, such as the personal information and online history of the perpetrator, as well as the outreach of their malicious activity.”