A threat actor group is resurfacing the TVSPY malware, which takes advantage of a vulnerability in Teamviewer software version 6, a legitimate tool used for remote PC administration. This time though, the perpetrators are bundling Teamviewer v6 in a package with a copy of the malware.
“This particular threat is very dangerous as the attacker will have total control over the affected machine,” said researchers at Damballa, who uncovered the threat. “It can be used during a regular infection campaign or by some APT actors for specific attacks against particular targets.”
Most recently, a targeted email campaign included a malicious Excel file with a macro that downloads the malware. The email was impersonating the All-Russian Research and Design Institute of Nuclear and Energy Engineering; and the analysis of the Command and Control server for this latest variant appears to be owned by professional criminals.
Damballa noted that the number of unique variants seen in 2015 is 4.4 times the number seen in 2012, and 2.2 times that seen in all of 2014. There are some instances of Dridex installing this malware as well.
“This malware has been relatively quiet for more than two years so the nearly three-fold increase in activity is concerning,” the researchers said.
TVSPY, also known as TVRAT, SpY-Agent or teamspy, was originally developed in 2010 by a hacker going by the handle Mr. Burns. He also created something similar called RMS, which behaves very much like the TVSPY builder.
“RMS/TVSPY continues to be developed, with a new version being posted by the developer/reseller on a regular basis,” Damballa researchers noted. “In fact, the legitimate RMS version developed by TektonIT and the version posted in criminal forums appear to be identical. TVSPY seems to be merely a modification of RMS to utilize TeamViewer infrastructure and a command-and-control interface manageable through the Web.”