A backdoor Trojan will install the BackDoor.TeamViewer.49 application on computers so it can relay Web traffic from the attacker to other servers on the Internet, effectively using the host as a proxy server.
Russian security vendor Dr.Web and researchers from Yandex first discovered the Trojan at the start of May. The Trojan ended up distributed via a complex multi-stage mechanism.
Users don’t suffer a BackDoor.TeamViewer infection immediately, but first through a malware dropper called Trojan.MulDrop6.39120, which Dr.Web said ends up distributed online with an Adobe Flash Player update package.
When users install the tainted Flash Player update, they get a legitimate Flash version, but also the Trojan.MulDrop6 Trojan, which installs TeamViewer on the victim’s computer.
Dropping TeamViewer on infected devices is not something new, but the attackers don’t use it to log into the victim’s PC and take control of the device. Dr.Web said TeamViewer ends up used for something else.
Attackers replaced TeamViewer’s avicap32.dll file with a malicious version that contains the BackDoor.TeamViewer Trojan. Since TeamViewer automatically runs avicap32.dll in the OS memory, attackers only need to add auto-run functions to TeamViewer and make sure the app’s icon remains hidden from the Windows notification area.
After the criminals make all the necessary modifications and TeamViewer is running, BackDoor.TeamViewer connects via an encrypted channel to the crooks’ command and control server, where it waits for instructions.
Dr.Web said in the versions it analyzed, the Trojan’s main function was to operate as a Web proxy, taking traffic it receives from the C&C server and relaying it to the Internet, effectively masking the crooks’ real IP.