Cyberattackers, possibly Russian, recently struck numerous embassies in Europe with a malicious email attachment that uses a weaponized version of the TeamViewer remote desktop tool to gain control of the target computer.
Check Point researchers reported that the attack is well structured, yet somewhat sloppy, but in the end potentially quite dangerous. The attack begin with an email, sent to an authority in the embassy’s finance office, containing an XLSM spreadsheet document with malicious macros. The attackers falsely labeled the incoming document as part of a Military Financing Program bearing the U.S. State Department logo, and for good measure slugged it “Top Secret.”
The first sign the spreadsheet is a fraud is immediately apparent as this supposed U.S. document has a Workbook name written in Cyrillic, but otherwise “the attackers have worked hard to make the document appear convincing,” Check Point wrote. Another piece of evidence pointing to a possible Russian connection was the discovery on a dark web site of the online avatar of a Russian-speaking hacker who seems to be in charge of the tools developed and used in this attack.
The actors behind the attacks also left a directory open for a period of time that allowed Check Point to see some of the nations that were targeted, which included Nepal, Guyana, Kenya, Italy, Liberia, Bermuda and Lebanon.
Once the macro is enabled, two files are extracted from the malicious XLSM file: a legitimate AutoHotkeyU32.exe program and an AHK script that sends a POST request to the command and control (C&C) server. There are additional AHK scripts on the C&C server, one of which takes a screenshot of the infected PC and sends it, along with the victim’s username and computer information, to the server. A third script downloads and executes the weaponized TeamViewer onto the computer, along with whatever login credentials are needed.
TeamViewer is loaded via a DLL side-loading technique.
Once on board and functioning, the malware hides the TeamViewer interface so the user does not know it is running; sets itself up to receive and execute additional EXE or DLL files; and saves the current TeamViewer session credentials to a text file.
“The malicious DLL allows the attacker to send additional payloads to a compromised machine and remotely run them. Since we were not able find such a payload and know what other functionalities it introduces besides the ones provided in the DLL, the real intentions of the latest attack remain unclear. However, the activity history of the developer behind the attack in underground carding forums and the victim’s characteristics may imply that the attacker is financially motivated,” Check Point wrote.
Check Point not only believes its Russian attribution is accurate, but also presented evidence pointing to the person behind the attacks, or at least the tools being used. The person of interest in this case goes by the name EvaPiks and has left a trail dating back to an earlier version of this attack, which led researchers to an online forum where EvaPiks both asked for and gave advice focused on developing this type of attack.