Zscaler: Malware Buries Itself Into TeamViewer
The operators behind the Minebridge remote-access Trojan have updated the malware, which is targeting security researchers by using a malicious payload disguised in an attached document, according to the security firm Zscaler.
The newly discovered version of the RAT is embedded in a macro-based Word document file. When a recipient clicks on the malicious link, Minebridge buries itself into the remote desktop software TeamViewer, which enables the hackers to deploy more malware or spy on the victim’s device.
“We have recently observed other instances of threat actors targeting security researchers with social engineering techniques. The use of social engineering tactics targeting security teams appears to be on an upward trend,” Zscaler notes.
Zscaler researchers also observed updated tactics, techniques and procedures since the last instance of the malware the security firm observed in March 2020.
FireEye researchers first observed this malware targeting U.S. financial firms in January 2020. At that time, the operators were planting the Minebridge backdoor into corporate networks to deliver other malware and allow attackers to map the infrastructure, FireEye said (see: Financial Firms Targeted With New Type of Backdoor: Report).
Zscaler researchers analyzed a phishing campaign targeting security researchers with messages that appeared to come from someone with threat intelligence analyst experience who was looking for a job, according to the report. The malicious payload was disguised in an attached resume document.
When a recipient clicks on the malicious link, macros are enabled and display a message, “File successfully converted from PDF.” Then a decoy document resembling the job resume is displayed.
The macro code uses a basic string obfuscation, constructs a command line and then executes it using Windows Management Instrumentation, which leverages the Windows utility finger.exe to download encoded content from the IP addresses.
“The encoded content is decoded using the legitimate Windows utility certutil.exe and executed,” the researchers note. The use of finger.exe to download the encoded content from the command-and-control server is one of the major TTP changes made by this hacking group.
“We see an increase in usage of living-off-the-land binaries by the threat actor to download, decode, and execute the content in this new instance,” the Zscaler researchers note.
Minebridge then executes a self-extracting archive, which, when executed, drops the legitimate TeamViewer binaries, DLLs and some document files.
“Execution flow starts with the binary called defrender.exe, which is masked to appear as a Windows Defender binary,” the researchers note.
The Zscaler researchers found the binary defrender.exe is a legitimate TeamViewer application, version 11.2.2150.0, which is vulnerable to DLL side loading due to vague DLL references in the application’s library manifest. Researchers say that upon execution, it loads the msi.dll binary present in the same directory, which performs further malicious activity in the system.
Earlier, FireEye found that the malware was written in C++ programming language and that it implants itself within Microsoft TeamViewer, remote desktop software that allows an outside party to connect to a Windows device. Once installed, the backdoor attempts to connect to a command-and-control server controlled by the attackers.
If successfully installed, the malware gives the attackers capabilities such as “executing payloads, downloading arbitrary files, self-deletion and updating, process listing, shutting down and rebooting the system, executing arbitrary shell commands, process elevation, turning on/off TeamViewer’s microphone and gathering system [User Access Control] information,” FireEye researchers reported.
Zscaler says it has moderate confidence that the attack was carried out by TA505, an advanced persistent threat group that has been active since at least 2014.
“The job resume theme and C&C infrastructure used in this new instance is consistent and in line with these former attacks. Due to the low volume of samples we identified for this new attack, we attribute it to the same threat actor with a moderate confidence level,” Zscaler says.
The FireEye researchers also found that Minebridge uses a loader call Minedoor, which is associated with TA505. TA505 had previously used Minedoor to deliver backdoor malware called Friendspeak.