TeamViewer’s Libraries Part of Complex Malware Process

Share Button

Fraudsters are getting ever more creative. Every app and device is now an avenue for new threats seeking to capture the personal information of end users.

Not long ago, we wrote about Remote Access Threats (RAT), which aim to access users’ cameras and microphones. We also discussed Marcher, a malware targeting Android devices, and Acecard, a new mobile banking threat.

For more than a year now, we have observed a concerning increase in volume and severity of attacks like the ones mentioned above.

Today, we have discovered a new one. It’s a new type of malware that uses TeamViewer software as a component of a multi-step attack on end users. Part of this malicious process actually downloads TeamViewer from the software company’s official website.



TeamViewer allows for remote control access, desktop sharing, file sharing and online meetings between participating computers. Our fraud intelligence team recently discovered that hackers are remotely gaining access to computers and using TeamViewer. More worryingly, the attack is invisible, and victims have no idea that their machine is under attack.

How Exactly Are Computers Infected?

This threat starts with a simple phishing attack – fraudulent emails that encourage users to download the malicious file. In the obtained sample, the malicious code tries to hide its execution behind a real web browser process. It then downloads files from a hacked webpage as well as from the legitimate TeamViewer website to avoid being detected as a potential RAT. TeamViewer is a widely recognized remote access tool, so downloading the legitimate software would cover up any suspicious activity related to remotely accessing devices through the program.

Once those files have been downloaded, the attack uses both the suspicious files and some modules of TeamViewer to assemble and launch the threat. The attack is executed during the Windows-device startup, and also checks the status of the C&C panel and sends data that identifies the infected machine, such as a user name, machine ID and/or date. It also harvests information related to any installed instant messenger programs and email clients, then steals private information from local Internet browsers.

It is important to mention that while this attack was analyzed, in less than three days, two more threats were detected that share the same behavior, and even though all those three attacks were different, the final malware installed on the machines was exactly the same. This shows how quickly malware authors can modify and improve upon their creations to avoid the most common detection techniques.

Malicious Process Leveraging the Legitimate TeamViewer Softwareteamviewer

What Regions and Industries are Impacted?

Some financial institutions in Latin America have reported the newest version of this threat. There are also reports of the same type of attacks in Russia, the United Kingdom, Spain and the United States.

Since this Trojan allows for remote access of the infected machine, cybercriminals are easily able to install additional malware to spy and monitor the activities of their victims.

No industry can afford to neglect the severe threat that this type of attack poses. Since machines are accessed remotely, people who use computer or mobile devices to access online banking, mail services, instant messaging, and medical records are at risk.

What Protection Methods Can be Taken?

A RAT can be especially harmful, even more so than other types of attacks, because a RAT can control the victim’s machine directly, allowing attackers to run and stop processes, steal sensitive login credentials, and even record the victim’s online activity. However, there are steps that end users can take to avoid falling victim to these attacks.

  • Implement a solution that examines user behavior, such as keyboard and mouse movements. This method is more effective than traditional detection tools such as device identification because legitimate actions, like screen sharing, can come from different locations.
  • Deploy a layered-defense approach that includes device identification, malware detection and user action analysis.
  • Always keep software updated with the latest versions, since developers often make each version more secure than the last.

To learn more about proactive malware detection, watch this video:

Related Posts

Analyst Report on Risk-Based Authentication: AppGate Named a Strong Performer AppGate is positioned as a “Strong Performer” in the Forrester Wave™ Q2 2020 Risk-Based Authentication report. Read it complimentary here. When discussing AppGate’s solution, Forrester notes: “The strongest feature of the solution is Risk Orchestrator,...which gives admins true freedom in defining custom data management, risk scoring and authentication workflows.
Fraud in the Time of Coronavirus As the world grapples with the Coronavirus pandemic, self-isolation and stay-at-home-orders have increasingly become the norm.

Leave a Reply

Your email address will not be published. Required fields are marked *