Security researchers have uncovered yet another ongoing cyberespionage operation targeting political and human rights activists, government agencies, research organizations and industrial manufacturers primarily from Eastern European countries and former Soviet Union states.
The attacker group behind the campaign was dubbed TeamSpy because they use a malware toolkit built around the legitimate TeamViewer remote access application in order to control infected computers and extract sensitive information from them.
The operation was analyzed by researchers from the Laboratory of Cryptography and System Security (CrySyS Lab) of the Budapest University of Technology and Economics, who collaborated with several antivirus companies, including Kaspersky Lab, Symantec and ESET.
CrySyS Lab launched its investigation after being notified by the Hungarian National Security Authority about an attack against a high-profile Hungarian government target.
Evidence collected so far suggests that parts of the attack toolkit have been used since at least 2010, CrySyS Lab said in a report published Wednesday. "Many of the victims appear to be ordinary users, but some of the victims are high profile industrial, research, or diplomatic targets, including the case that triggered our investigation."
Some example of high-profile targets include: an electronics manufacturing company from Iran with ties to the Iranian government (April 2010), an unnamed high-profile Hungarian government victim (November 2012), the embassy of an unnamed NATO/EU state in Russia (March 2013), multiple research and educational organizations from France and Belgium (March 2013) and an industrial manufacturer from Russia (March 2013).
The toolkit contains a copy of the legitimate and digitally-signed TeamViewer executable file, a TeamViewer_Resource_ru.dll file that's used for Russian-language localization of the program, a malicious component called avicap32.dll that handles communication with the command and control (C2) servers and ensures the malware's persistence on the system and an encrypted configuration file called tv.cfg.
The malware is designed to download and execute other modules from the C2 servers as instructed by the attackers. The additional modules can perform various tasks including recoding keystrokes in various processes and taking screen shots, gathering information about the system and local accounts, grabbing the history of attached devices from iTunes and scanning the local hard disk and remote network shares for specific file types.
The file searching modules scan for documents (*.doc, *.rtf, *.xls, *.mdb, *.pdf), disk image files (*.tc, *.vmdk), files containing encryption keys (*. pgp, *.p12), as well as files that contain the words "password" or "secret" in English, Russian or Georgian.
Evidence found on the operation's command and control (C2) servers suggests that the TeamSpy gang is also responsible for older attack campaigns that used self-made malware tools and might date as far back as 2004. Some of those campaigns were a mix of targeted attacks and cybercrime activities like online banking fraud, the CrySyS researchers said.
