TeamSpy data-stealing malware has been detected again. This time, the malware being used in a new campaign that has been discovered by researchers at Heimdal Security. Through using TeamSpy (Pdf), attackers and threat actors can easily gain access and full control over any compromised computer. A majority of the targets seem to be unsuspecting online users, however, as suggested by Heimdal Security, high-profile industrial executives, researchers, and diplomats are also among the targets of cyber-criminals.
This campaign is being spread through malicious, infected emails in which attackers are using various social engineering skills and misusing the authentic TeamViewer remote access tool that includes TeamViewer VPN and keylogger to carry out the attacks. The cybercriminals trick innocent users into installing TeamSpy malware using DLL hijacking technique. In this trick, an authentic software program is manipulated in a way that it starts performing illegal activities.
It starts with users receiving an email that contains an eFax attachment. When the recipient opens that email, a .exe file that is also attached with this file gets activated causing the TeamSpy malware code to be installed on the computer as malicious DLL. A TeamViewer session then commences while the attacker’s activities remain hidden from the victim. Furthermore, attackers can easily carry out a variety of exploits on the machine using the services that the user has been running on the computer. The campaign is also able to circumvent two-factor authentication. The malware also provides attackers full access to encrypted content that has been unencrypted by the victim on the infected computer.
Heimdal Security’s researcher Andra Zaharia recommends that users be careful while opening emails and analyze every email that they receive. If there is an attachment that seems suspicious, it is better not to click on it. Moreover, emails from unknown senders must strictly be avoided.
It is worth noting that the last time TeamSpy malware was in the news was back in 2013 when a secret cyber-spying campaign that remained active for almost a decade was uncovered. Also, Heimdal Security clarified that TeamViewer hasn’t been infected and is completely safe to be used just like it was in 2016 when cyber-criminals utilized old passwords to compromise PayPal accounts.