Analyzing TeamSpy, malware that provides hackers full distant management of PCs.
TeamViewer, a distant management program, will be very useful while you want distant IT assist. The cybercriminals behind TeamSpy, sadly, additionally discover the instrument to be fairly helpful and use it to hold out malicious exercise.
TeamSpy infects computer systems by tricking individuals into downloading a malicious attachment and enabling macros. After that, the malware secretly installs TeamViewer, giving the cybercriminals full management of the contaminated laptop. TeamSpy first appeared again in 2013, which is when CrySyS Lab and Kaspersky Lab revealed white papers about its operation. Heimdal Safety not too long ago reported that the malware has resurfaced with a focused spam marketing campaign. We too have seen an uptick and have therefor determined to take a better look.
Most malware communicates with a command and management (C&C) server after infecting a tool. Because the identify suggests, a C&C server is the management middle that sends out instructions for malware to hold out. C&C servers are additionally the place malware sends again the information it collects. For this communication, malware authors normally implement a customized protocol, which will be simply noticed and distinguished from different visitors and thus blocked by antivirus options. To make it tougher for antivirus options to detect, some malware authors use widespread distant management packages, like TeamViewer, as a substitute to benefit from their VPN community to raised masks the communication between their malware and C&C servers.
How TeamSpy infects
TeamSpy is unfold by way of spam emails which are designed to trick individuals into opening an attachment. The attachment is an Excel file with macros. When the attachment is opened, the next display screen seems:
When the macros are enabled by the focused particular person, the an infection course of begins, operating fully within the background, so the sufferer would not discover something. If we glance contained in the malicious macro, we will see barely obfuscated strings, normally cut up into a number of substrings, that are later concatenated. Crucial info is circled in crimson under and are a hyperlink, from which one thing is downloaded, and a password, which can be used later.
The hyperlink, disk.karelia.professional, is a professional Russian service for importing and sharing recordsdata. Though the attachment of the downloaded is a PNG, it’s really an EXE file, extra particularly it’s an Inno Setup installer protected by the password.
With the assistance of the innounp utility, we had been in a position to simply record or extract the recordsdata from the Inno Setup installer utilized by the malware. As proven within the itemizing under, many of the recordsdata are common, digitally signed TeamViewer binaries, excluding two recordsdata – msimg32.dll and tvr.cfg. Tvr.cfg is TeamSpy’s configuration file and can be described later, msimg32.dll is the malware itself. Msimg32.dll is a DLL library which is a part of Home windows OS. On this case, nevertheless, TeamSpy abuses the DLL search order, in order that the pretend msimg32.dll from the present listing is loaded into the method as a substitute of the unique msimg32.dll from Home windows/System32 listing. The malware itself is within the pretend msimg32.dll library.
TeamSpy’s invisibility cloak
Usually while you set up the TeamViewer, you see a GUI window with an ID and password, which the opposite occasion must know in the event that they need to remotely hook up with your laptop.
If TeamSpy efficiently infects a PC, nothing is proven – bear in mind all the pieces runs within the background, in order that the sufferer doesn’t discover TeamViewer is put in. That is achieved by hooking many API capabilities and altering their habits. TeamSpy hooks the next APIs (almost 50 totally different APIs):
CreateMutexW, CreateDirectoryW, CreateFileW, CreateProcessW, GetVolumeInformationW, GetDriveTypeW, GetCommandLineW, GetCommandLineA, GetStartupInfoA, MoveFileExW, CreateMutexA
SetWindowTextW, TrackPopupMenuEx, DrawTextExW, InvalidateRect, InvalidateRgn, RedrawWindow, SetWindowRgn, UpdateWindow, SetFocus, SetActiveWindow, SetForegroundWindow, MoveWindow, DialogBoxParamW, LoadIconW, SetWindowLongW, FindWindowW, SystemParametersInfoW, RegisterClassExW, CreateWindowExW, CreateDialogParamW, SetWindowPos, ShowWindow, GetLayeredWindowAttributes, SetLayeredWindowAttributes, IsWindowVisible, GetWindowRect, MessageBoxA, MessageBoxW
RegCreateKeyW, RegCreateKeyExW, RegOpenKeyExW, CreateProcessAsUserW, CreateProcessWithLogonW, CreateProcessWithTokenW, Shell_NotifyIconW, ShellExecuteW
Some hooks block the applying’s entry to some particular sources, e.g. if RegCreateKey or RegOpenKey try and entry the SoftwareTeamViewer registry key, the error code: ERROR_BADKEY is returned.
Hooking the GetCommandLine makes TeamViewer suppose that it was began with a predefined password (as a substitute of a randomly generated password, TeamViewer customers can usually set this password to an arbitrary worth by including a command line parameter)
Hooking SetWindowLayeredAttributes units the TeamViewer window opacity to 0 (instruction PUSH 0), which based on the MSDN documentation means the next: “When bAlpha is 0, the window is completely transparent. When bAlpha is 255, the window is opaque.”
Hooking CreateDialogParam blocks some dialogs undesirable by the malware from even being created. These dialogs will be appeared up within the file TeamViewer_Resource_en.dll, they’re referenced with numbers like 10075, see the determine under.
In case of ShowWindow, it defines it’s personal nCmdShow parameters 4d2h and 10e1h. If different values than these are handed, nothing occurs.
In all probability essentially the most attention-grabbing is the hooking of the CreateWindowEx API. By way of a collection of sophistication identify checks, it identifies a window and different window controls that belong to the TeamViewer chat window. With assist of a instrument like WinSpy++, we will see all of the home windows belonging to the actual course of (even when they’re hidden). As you possibly can see from the determine under, there’s a ControlWin window, which has a number of TVWidgets. One widget belongs to the chat – it has two ATL:???????? textual content edits, one for the chat message historical past and one for the brand new chat message, one combo field with a drop down record of chat members and the button Ship. “message 01” is the obtained message within the chat, “message 02” is message which can be despatched after clicking the “Send” button. The chat window can’t be usually seen, because the malware runs within the background, however it’s attainable to patch the malware, in order that hiding home windows doesn’t occur.
The code snippet under reveals how the malware obtains handles to those window controls. GetWindowLong and CallWindowProc and SetWindowLong with nIndex = GWL_PROC replaces the previous handle for the window process of the chat historical past textual content edit with a customized window process.
The customized window process listens for incoming messages, and based mostly on the window message id, it both sends a brand new message or it waits for a reply from the C&C server (EM_SETCHARFORMAT message arrived).
The determine under reveals how a brand new message is distributed. Malware first units focus to the brand new message textual content edit with WM_SETFOCUS, then it units the brand new message edit textual content by WM_SETTEXT and finally it clicks on the “Send” button by sending BM_CLICK.
Related modifications are utilized to many of the 50 APIs listed above. Some patches are quite simple, having no various directions, whereas some patches are very complicated, like CreateWindowEx. We won’t record all of them right here, nevertheless, the ultimate impact is evident – TeamViewer’s home windows usually are not exhibited to the sufferer. They silently exist within the system and that’s all.
TeamSpy’s configuration is saved in tvr.cfg file. It makes use of a easy customized encryption algorithm, which will be seen under. It reads the enter file and makes use of the password “TeamViewer”. The algorithm runs two counters, cnt1 (0..variety of bytes in tvr.cfg ) and cnt2 (0..size of the password). It takes a byte from the password, provides the results of the multiplication cnt1*cnt2. That is performed for every character of the password. These outcomes are all XORed, one character is produced, and on the finish of the loop, it’s XORed with the respective byte from the configuration file. These steps are repeated for all bytes in configuration file.
The decrypted configuration file will be seen under. The names of the parameters are largely self explanatory. Crucial for us are the password (contaminated machine has password “superpass” ) and server1, the place the contaminated machine ID is exfiltrated.
The communication between the contaminated machine and the C&C server is established quickly after the an infection course of begins. The next request is repeatedly despatched. The names of most parameters will be clearly deduced.
id = TeamViewer ID, cybercriminals want this id, which along with the password are sufficient to remotely hook up with the contaminated laptop
tout = timeout
idl = idle time
osbt = 32bit/64bit
osv = OS model
osbd = OS construct model
ossp = service pack
tvrv = TeamViewer model
uname = person identify
cname = laptop identify
vpn = has TeamViewer vpn
avr = antivirus resolution
After we open the C&C server in an online browser, we see the next login web page:
The contaminated laptop is managed by way of TeamViewer. Cybercriminals can hook up with the distant laptop (they know the ID and password for TeamViewer) or they will ship instructions by way of the TeamViewer chat, to principally do no matter they please on the contaminated machine. The communication by way of the TeamViewer chat permits for the fundamental backdoor functionalities to be carried out: applist, wcmd, ver, os, vpn, locale, time, webcam, genid. Contained in the TeamSpy code, these instructions are in comparison with their crc32 checksums, so collisions can very simply occur. As a result of crc32(wcmd) = 07B182EB = crc32(aacvqdz), each of those instructions are interchangeable.
Utilizing TeamViewer’s professional VPN encrypts the visitors and makes it indistinguishable from professional TeamViewer visitors. As soon as the machine is contaminated, the criminals have full entry to the pc. They’ll steal and exfiltrate delicate information, obtain and execute arbitrary packages, and extra.
Abusing the professional utility with sideloading is a intelligent approach, as a result of not each person checks legitimacy of all of the DLL libraries in the identical listing. Checking the signature of the primary executable doesn’t reveal something suspicious and should let the sufferer suppose that all the pieces is alright. See the digital signature of the primary update_w32.exe file under. This file isn’t malicious.
It is very important do not forget that there are extra malware lessons that abuse TeamViewer, not simply TeamSpy. This blogpost simply describes one in every of them. The precept is, nevertheless, related in different malware lessons.
XLS with macros
Password protected Inno Installer
6.0 and sure, we detect it