blog.cyble.com
Open in
urlscan Pro
192.0.78.213
Public Scan
URL:
https://blog.cyble.com/2023/07/13/trojanized-application-preying-on-teamviewer-users/
Submission: On July 17 via api from TR — Scanned from DE
Submission: On July 17 via api from TR — Scanned from DE
Form analysis
3 forms found in the DOMGET https://blog.cyble.com
<form class="hfe-search-button-wrapper" role="search" action="https://blog.cyble.com" method="get">
<div class="hfe-search-form__container" role="tablist">
<input placeholder="Search " class="hfe-search-form__input" type="search" name="s" title="Search" value="">
<button id="clear-with-button" type="reset">
<i class="fas fa-times" aria-hidden="true"></i>
</button>
<button class="hfe-search-submit" type="submit">
<i class="fas fa-search" aria-hidden="true"></i>
</button>
</div>
</form>
GET https://blog.cyble.com
<form class="hfe-search-button-wrapper" role="search" action="https://blog.cyble.com" method="get">
<div class="hfe-search-form__container" role="tablist">
<input placeholder="Search Our Blog" class="hfe-search-form__input" type="search" name="s" title="Search" value="">
<button id="clear" type="reset">
<i class="fas fa-times clearable__clear" aria-hidden="true"></i>
</button>
</div>
</form>
<form id="jp-carousel-comment-form">
<label for="jp-carousel-comment-form-comment-field" class="screen-reader-text">Write a Comment...</label>
<textarea name="comment" class="jp-carousel-comment-form-field jp-carousel-comment-form-textarea" id="jp-carousel-comment-form-comment-field" placeholder="Write a Comment..."></textarea>
<div id="jp-carousel-comment-form-submit-and-info-wrapper">
<div id="jp-carousel-comment-form-commenting-as">
<fieldset>
<label for="jp-carousel-comment-form-email-field">Email</label>
<input type="text" name="email" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-email-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-author-field">Name</label>
<input type="text" name="author" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-author-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-url-field">Website</label>
<input type="text" name="url" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-url-field">
</fieldset>
</div>
<input type="submit" name="submit" class="jp-carousel-comment-form-button" id="jp-carousel-comment-form-button-submit" value="Post Comment">
</div>
</form>
Text Content
Skip to content Search for your darkweb exposure Main Menu * Home * About Us * Products * Cyble Vision * AmiBreached * Cyble Hawk * Odin (Internet Scanning) * The Cyber Express * Newsroom * Research Reports * Careers * Partner with us * Request Demo TROJANIZED APPLICATION PREYING ON TEAMVIEWER USERS * July 13, 2023 THREAT ACTOR MODIFIES TEAMVIEWER INSTALLER TO DELIVER NJRAT Cyble Research & Intelligence Labs (CRIL) have been monitoring several instances where well-known applications and tools have been exploited as a delivery mechanism for malicious files. Threat Actors (TAs) leverage the trust associated with these applications to deceive users into downloading and executing them. We encountered a notable incident involving the deceptive utilization of a TeamViewer application file. TeamViewer, a widely adopted software application, facilitates remote control, desktop sharing, online meetings, file transfers, and collaborative work across various devices. Our preliminary investigation uncovered a significant correlation between the dissemination of the njRAT malware and a favored technique employed by Threat Actors (TAs). This technique entails exploiting the trust and prevalence of popular and legitimate applications such as TeamViewer, WireShark, Process Hacker, and others. njRAT, commonly called Bladabindi, is a type of Remote Access Trojan (RAT) initially uncovered in 2012. This malware is primarily employed in attacks aimed at organizations located in Middle Eastern nations. njRAT can perform various malicious activities such as logging keystrokes, taking screenshots, stealing passwords, exfiltrating data, accessing webcams and microphones, downloading additional files, etc. INITIAL INFECTION In addition to its typical distribution methods, such as phishing campaigns, cracked software on filesharing websites, and drive-by downloads, this njRAT sample is also being distributed through trojanized applications. TECHNICAL ANALYSIS Technical Content! Subscribe to Unlock Sign up and get access to Cyble Research and Intelligence Labs' exclusive contents Email Unlock This Content The malware sample we have identified is a 32-bit Smart Installer, with a SHA 256 hash of “224ae485b6e4c1f925fff5d9de1684415670f133f3f8faa5f23914c78148fc31” (shown in the figure below). Figure 1 – Static file Details Upon execution, the aforementioned installer drops two files in the Windows folder, and the names of these files include the term “TeamViewer”. One of the files dropped in the Windows folder is njRAT, while the other is a genuine, TeamViewer application, as shown in the figure below. Figure 2 – Files dropped in the Windows folder After dropping the files in the Windows folder, the installer triggers the execution of “TeamViewer Starting.exe” (njRAT) and subsequently launches the legitimate “teamviewer.exe” application. The figure below displays the user prompt window, providing the option to proceed with the team viewer installation. Figure 3 – Teamviewer Installation wizard Simultaneously, the njRAT initiates its installation process by copying itself into the “AppData\Local\Temp” directory with the filename “system.exe“. This technique is designed to make the malicious process less noticeable to the end user by using a filename that resembles a legitimate Windows file. It will then execute the newly dropped file as a new process. The below figure illustrates the sequence of processes involved when executing the Trojanized TeamViewer installer. Figure 4 – Process chain Once the new process is launched, njRAT creates a mutex, or mutual exclusion object, as a locking mechanism to prevent two threads from writing to shared memory simultaneously and to avoid reinfection of the victim. The name of the mutex is “301b5fcf8ce2fab8868e80b6c1f912fe“. The mutex name and other configurations are hardcoded into the njRAT binary. The below image shows the complete configuration details of the njRAT. Figure 5 – njRAT configuration Then, the njRAT modifies the value of the “SEE_MASK_NOZONECHECKS” environment variable in the Windows registry to 1, thereby adjusting the security settings. This alteration allows the malware to operate unhindered, bypassing any security warning prompts or dialog boxes that would typically be presented to the end user. The image below shows the registry value added by njRAT to adjust the security settings in the victim’s machine. Figure 6 – Changing security settings in the registry Afterwards, the RAT creates a firewall regulation that allows for upcoming communication with its Command and Control (C&C) server. The below figure shows the code used by njRAT to add the firewall rule. Figure 7 – Firewall rule PERSISTENCE Then the malware implements two distinct methods to achieve persistence. The first one involves creating two autorun entries in the system registry: 1. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Value name: 301b5fcf8ce2fab8868e80b6c1f912fe Value data: “C:\Users\[User Profile]\AppData\Local\Temp\System.exe” * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Value name: 301b5fcf8ce2fab8868e80b6c1f912fe Value data: “C:\Users\[User Profile]\AppData\Local\Temp\System.exe” Meanwhile, the second method entails copying itself to the startup directory: “C:\Users\[User Profile]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\301b5fcf8ce2fab8868e80b6c1f912fe.exe” By doing so, the malware can ensure that it automatically runs every time the system boots up. The below image shows the file located in the startup folder. Figure 8 – Adding Self copy in the startup location COLLECTION After the initial configurations are successfully completed, the njRAT engages in keylogging activity. To achieve this, the RAT creates a dedicated thread that establishes an ongoing loop to continuously monitor keystrokes. This monitoring functionality is enabled by utilizing the GetAsyncKeyState function, which effectively detects any key presses. Whenever a key press is detected, the thread captures and stores the corresponding key information in a newly generated file named “System.exe.tmp“. This file is specifically created in the “%appdata%/temp” location. The thread operates continuously with a delay interval of 1 ms between each iteration, allowing for ongoing monitoring of keystrokes and storage of the captured data. The figure below shows the njRAT’s keylogger function code. Figure 9 – Keylogger function and values In addition to capturing keystrokes, the RAT also collects various system information such as the Windows operating system version, the service pack, the current date, the username, information about webcams, system architecture, and specific registry keys. The gathered data is encoded using the base64 encoding scheme to facilitate exfiltration. The image below shows the partial function code for collecting system information for exfiltration. Figure 10 – RAT collects the System information for exfiltration Once the data is collected, the malicious sample establishes a connection with a Command and Control (C&C) server to transmit the gathered information. The C&C address and listening port are preconfigured within the file, as indicated in Figure 5. Subsequently, njRAT enters a dormant state, awaiting instructions from the C&C server. The malware compares the received command against a predetermined set of hardcoded commands and proceeds to execute the specified action accordingly. Before the user gains access to the TeamViewer application, the RAT discreetly conducts malicious operations within the compromised system. The following image displays the TeamViewer window following the RAT operation. Figure 11 – Teamviewer Window CONCLUSION Despite being in existence for almost a decade, njRAT remains a favored remote administration tool among TAs. Additionally, the method of distributing njRAT demonstrates the resourcefulness and adaptability of TAs in effectively spreading malware through widely-used applications. This kind of malware attack poses a significant threat to the affected systems’ privacy, security, and integrity. Cyble Research and Intelligence Labs (CRIL) actively monitors Trojanized applications to keep our readers informed about them. RECOMMENDATIONS * Downloading any tools or applications only from the official website. Avoid downloading it from third-party websites or sources. * Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic. * Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile. * Refrain from opening untrusted links and email attachments without verifying their authenticity. MITRE ATT&CK® TECHNIQUES Tactic Technique ID Technique Name Execution T1204 T1059 User Execution Command and Scripting Interpreter Persistence T1547 Boot or Logon AutoStart ExecutionDefense EvasionT1036MasqueradingDiscovery T1082 T1057 T1012System Information Discovery Process Discovery Query RegistryCollectionT1056Input CaptureCommand and ControlT1071 T1095Application Layer Protocol Non-Application Layer Protocol INDICATORS OF COMPROMISE (IOCS) Indicators Indicator Type Description 224ae485b6e4c1f925fff5d9de1684415670f133f3f8faa5f23914c78148fc31 9b9539fec7d0227672717e126a9b46cda3315895 11aacb03c7e370d2b78b99efe9a131ebSha256 Sha1 Md5 Trojanized Teamviewer 9bcb093f911234d702a80a238cea14121c17f0b27d51bb023768e84c27f1262a b2f847dce91be5f5ea884d068f5d5a6d9140665c 8ccbb51dbee1d8866924610adb262990Sha256 Sha1 Md5 system.exe/ TeamViewer Starting.exe hxxp://kkk[.]no-ip[.]biz URLC&C RECENT BLOGS TROJANIZED APPLICATION PREYING ON TEAMVIEWER USERS July 13, 2023 MICROSOFT ZERO DAY VULNERABILITY CVE-2023-36884 BEING ACTIVELY EXPLOITED July 12, 2023 LEGION STEALER TARGETING PUBG PLAYERS July 11, 2023 PrevPreviousMicrosoft Zero Day Vulnerability CVE-2023-36884 Being Actively Exploited July 13, 2023 Cyble Research & Intelligence Labs analyzes a trojanized version of the TeamViewer application and how it distributes njRAT. Read More » July 12, 2023 CRIL analyzes the impact of Zero-Day Exploit for CVE-2023-36884 in cyber espionage and ransomware operations. Read More » July 11, 2023 CRIL analyzes how a fake PUBG Bypass Hack GitHub Repository serves as a gateway for Legion Stealer malware distribution. Read More » About Us Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, Dubai and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com. Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, Dubai and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com. Offices: We’re remote-friendly, with office locations around the world: San Francisco, Atlanta, Rome, Dubai, Mumbai, Bangalore, Singapore, Jakarta, Sydney, and Melbourne. UAE: Cyble Middle East FZE Suite 1702, Level 17, Boulevard Plaza Tower 1, Sheikh Mohammed Bin Rashid Boulevard, Downtown Dubai, Dubai, UAE contact@cyble.com +971 (4) 4018555 USA : Cyble, Inc. 11175 Cicero Drive Suite 100 Alpharetta, GA 30022 contact@cyble.com +1 678 379 3241 India: Cyble Infosec India Private Limited A 602, Rustomjee Central Park, Andheri Kurla Road Chakala, Andheri (East), Maharashtra Mumbai-400093, India contact@cyble.com +1 678 379 3241 Australia : Cyble Pty Limited Level 32, 367 Collins Street Melbourne VIC 3000 Australia contact@cyble.com +61 3 9005 6934 Singapore: Cyble Singapore Private Limited 38 North Canal Road, Singapore 059294 contact@cyble.com +1 678 379 3241 © 2023. Cyble Inc. All Rights Reserved Twitter Linkedin Scroll to Top Loading Comments... Write a Comment... Email Name Website We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.Ok × We Value Your Privacy Settings NextRoll, Inc. ("NextRoll") and our advertising partners use cookies and similar technologies on this site and use personal data (e.g., your IP address). If you consent, the cookies, device identifiers, or other information can be stored or accessed on your device for the purposes described below. You can click "Allow All" or "Decline All" or click Settings above to customize your consent. NextRoll and our advertising partners process personal data to: ● Store and/or access information on a device; ● Create a personalized content profile; ● Select personalised content; ● Personalized ads, ad measurement and audience insights; ● Product development. For some of the purposes above, our advertising partners: ● Use precise geolocation data. Some of our partners rely on their legitimate business interests to process personal data. View our advertising partners if you wish to provide or deny consent for specific partners, review the purposes each partner believes they have a legitimate interest for, and object to such processing. If you select Decline All, you will still be able to view content on this site and you will still receive advertising, but the advertising will not be tailored for you. You may change your setting whenever you see the Manage consent preferences on this site. Decline All Allow All Manage consent preferences