A backdoor Trojan with spying capabilities that has been previously directed against European and Russian users is now being lobbed at US users, Dr. Web researchers have warned.
This specific backdoor is the latest iteration of a piece of malware that dates back to 2011, and is distributed under the name Spy-Agent. Dr. Web detects it as BackDoor.TeamViewerENT.1.
The Trojan is used to install additional malware such as keyloggers and form grabbers on the targets’ computer.
What makes this malware special?
For one, it installs and uses legitimate TeamViewer components to spy on its victims.
“The Trojan’s main payload is placed into the avicap32.dll library, and its operation parameters are stored in an encrypted configuration block. BackDoor.TeamViewerENT.1 also saves the files and folders necessary for TeamViewer to operate, together with some additional files,” the researchers explained.
“If a Windows program needs a dynamic library to be loaded in order to operate, the system starts searching for the file with that name in the same folder from which the program was run, and only then in the Windows system directory. Virus makers decided to take advantage of this Windows feature: TeamViewer needs a standard avicap32.dll library, which is stored in one of the default system catalogs. However, the Trojan stores a malicious library with that same name right in the folder with the original TeamViewer executable file, and, as a result, Windows loads the malicious library, rather than the legitimate one, into the memory.”
Secondly, the malware tries to hide its existence and actions from users by terminating the TeamViewer process if it detects that the Task Manager or Process Explorer (two popular system monitoring tools) has been started, and by disabling error messaging for the TeamViewer process.
As noted before, the backdoor is mainly used to download and install additional info-stealing malware, but it uses TeamViewer to spy on users via the computer’s microphone and the camera.
If a component of TeamViewer is accidentally deleted by the user or someone else, the backdoor is capable of checking which part is missing and to download it from its C&C server.
More technical details about the threat can be found here.
Unfortunately, they don’t say how the malware is delivered to the victims.