Heimdal Security researchers spotted a new spam campaign carrying the TeamSpy data-stealing malware.
The attackers exploit the TeamViewer remote access tool to grant an attacker full access to a compromised device. The malware is particularly difficult to stop as it is capable of circumventing two factor authentication and accessing encrypted content, according to a February 20, Heimdal blog post. The blog noted that TeamViewer itself has not been compromised and is entirely safe to use.
Once downloaded the malware first targets usernames and passwords and then scans for personal information and pictures, which can be used for a number of illicit activities, including extortion, and financial gains, Heimdal CEO Morten Kjaersgaard told SC Media.
To make matters worse, the attack differs from other trojans and malware that seek to spy and steal information due to its resilient efforts to infect a system.
“If the attack is unsuccessful for the cybercriminals behind it, the backdoor opened by TeamSpy could be used to download more malicious software onto the compromised computer,” Kjaersgaard said. “They could even deliver ransomware as an exit strategy.”
Kjaersgaard added that it is interesting how TeamSpy infiltrates a user's system by compromising a trusted software application and using it to access the entire system. This method is a cover for the malicious software, as it sits in the background and collects all kinds of confidential information, from credentials to screenshots and more, he said.
Researchers spotted this tactic used in a 10-year long cyberespionage campaign that was uncovered in 2013. Kjaersgaard said the most recent attacks could be the workings of the same threat actors trying to see if their tactics still work as they may be used in future attacks, or modified in the event that they don't work to increase success rates.