Banking Trojan incorporates legitimate remote control software

It seems that every technology made for “good” can be misused, and that also goes for software, apparently.

An ESET researcher has recently received a sample of the Sheldor Trojan, which has been found by Group-IB investigators while they were inspecting the systems if a major Russian company that fell prey to theft through unauthorized accounting transactions.

And this particular piece of malware incorporates the well-known TeamViewer remote control software, in order to allow the attacker to start a command shell on the compromised machine in order to control it, to toggle monitoring, to shut down Windows or to log off the user, and – if need be – to remove all traces of the bot.

“The dropper installs a backdoor in %WINDIR% and runs as server in console mod,” he explains. “One component of TeamViewer is modified in order to inject code into tv.dll, communicating through the administrative control panel.”

In this case, the TeamViewer component was obviously use to circumvent additional authentication mechanism that some bank use.

Don't miss