Heimdal Security researchers spotted a new spam campaign carrying the TeamSpy data-stealing malware.
The attackers exploit the TeamViewer remote access tool to grant an attacker full access to a compromised device. Once downloaded the malware first targets usernames and passwords and then scans for personal information and pictures, which can be used for a number of illicit activities, including extortion, and financial gains, said Heimdal CEO Morten Kjaersgaard.
First, an email from a spoofed address will get the victim to download a zip file, which, once opened, triggers the .exe file inside to be activated. The TeamSpy code is then dropped onto the victim’s computer, as a malicious DLL. The emails noticed by the security firm had “eFax message from “1408581 **” as a subject line.
As before, the cybercriminals install a legitimate version of TeamViewer on their victims’ computers and then alter the behavior with DLL hijacking to make sure it stays hidden.
The logs are copied to a file, adding all available user names and passwords. The file is continuously sent to a C & C server.
Per the researchers, the TeamSpy malware includes various components in the otherwise legitimate TeamViewer application, two of them are keylogger and a TeamViewer VPN.