Another backdoor Trojan, BackDoor.TeamViewerENT.1, has been detected installing legitimate TeamViewer components on infected machines to spy on users.
Doctor Web researchers discovered the malware has been in development since 2011 and regularly releases modified versions of it. The backdoor is distributed under the name SpyAgent.
The backdoor targets residents of specific countries and regions at different times. In July, users computers in Europe from Great Britain and Spain were attacked. In August, cyber-criminals focused on attacked the US. Many cases were also registered in Russia.
Like its counterpart BackDoor.TeamViewer.49, BackDoor.TeamViewerENT.1 is a multi-component Trojan. However, its predecessor implemented TeamViewer to upload a malicious library to an attacked computer's memory while BackDoor.TeamViewerENT.1 uses it to spy on users.
Once launched, the backdoor disables error messaging for the TeamViewer process, appends its files and the TeamViewer files with the attributes “system”, “hidden”, and “read only”, and then intercepts calls for TeamViewer functions and several system functions. If certain files or components are missing for TeamViewer to operate on a normal basis, the Trojan downloads them from its command and control (C&C) server.
When connected to the C&C server, the backdoor can perform functions such as restarting or turning off the computer, listening through a microphone, and viewing via the web camera, which allows cyber-criminals to spy on users, steal their personal information, and install malware programmes.
In emailed commentary, Kirill Kozhevnikov at Doctor Web told SCMagazineUK.com, “After taking control, cyber-criminals had to do anything pretty much manually, monitoring user activities and uploading more malware for specific tasks. That means that unless users store their passwords, banking data and other important files somewhere on their computer, in easy reach and in plaintext there is some time before the actual harm is done. This is when the regularly updated antivirus comes in – even if something slipped in, it might be not too late to cure it. So the tips on avoiding being exploited by Trojans like this one are obvious: don't store unencrypted credentials on the same PC you are using to access any important services, keep the software updated and don't download remote computer access software from shady sources.”