A backdoor Trojan takes advantage of a legitimate TeamViewer remote access tool to spy on victims, researchers said.
Called BackDoor.TeamViewerENT.1 and distributed under the name Spy-Agent, the Trojan installs legitimate TeamViewer components on the compromised machines to spy on its victims, said researchers at Doctor Web.
TeamViewerENT.1 is a multi-component Trojan. The new program uses TeamViewer to upload a malicious library in memory. It then uses that capability to spy on victims, said researchers at Doctor Web in a post.
The malware’s main payload goes into the avicap32.dll library, which is necessary for TeamViewer to operate.
The library is in the same folder with the original executable, which ensures it loads immediately.
This is where the malware developers take advantage of a Windows function where, when a program needs a dynamic library, the system first searches for it in the folder the software was launched from, and only after that in the Windows system directory.
After launch, TeamViewerENT.1 disables error messaging for the TeamViewer process and changes the attributes of its files and the TeamViewer files to “system,” “hidden,” and “read only.” It also starts intercepting calls for TeamViewer functions and calls for several system functions, and kills the TeamViewer process if the Windows Task Manager or Process Explorer are detected.
Should there be TeamViewer files or components that are missing, the Trojan downloads them from the command and control (C&C) server, ensuring the remote control app can operate normally.
The backdoor includes support for various commands, such as restart or turn off the computer, relaunch or remove TeamViewer, start/stop listening through the microphone, identify the web camera, start/stop viewing via the web camera, download and save a file to a temporary folder and run it, and update a configuration file and the backdoor’s executable file, as well as connect to the specified remote server, run cmd.exe and execute input/output redirection to a remote server, researchers said.