blog.cyble.com
Open in
urlscan Pro
192.0.78.183
Public Scan
URL:
https://blog.cyble.com/2023/07/13/trojanized-application-preying-on-teamviewer-users/
Submission: On July 17 via api from TR — Scanned from DE
Submission: On July 17 via api from TR — Scanned from DE
Form analysis 3 forms found in the DOM
GET https://blog.cyble.com
<form class="hfe-search-button-wrapper" role="search" action="https://blog.cyble.com" method="get">
<div class="hfe-search-form__container" role="tablist">
<input placeholder="Search " class="hfe-search-form__input" type="search" name="s" title="Search" value="">
<button id="clear-with-button" type="reset">
<i class="fas fa-times" aria-hidden="true"></i>
</button>
<button class="hfe-search-submit" type="submit">
<i class="fas fa-search" aria-hidden="true"></i>
</button>
</div>
</form>GET https://blog.cyble.com
<form class="hfe-search-button-wrapper" role="search" action="https://blog.cyble.com" method="get">
<div class="hfe-search-form__container" role="tablist">
<input placeholder="Search Our Blog" class="hfe-search-form__input" type="search" name="s" title="Search" value="">
<button id="clear" type="reset">
<i class="fas fa-times clearable__clear" aria-hidden="true"></i>
</button>
</div>
</form><form id="jp-carousel-comment-form">
<label for="jp-carousel-comment-form-comment-field" class="screen-reader-text">Write a Comment...</label>
<textarea name="comment" class="jp-carousel-comment-form-field jp-carousel-comment-form-textarea" id="jp-carousel-comment-form-comment-field" placeholder="Write a Comment..."></textarea>
<div id="jp-carousel-comment-form-submit-and-info-wrapper">
<div id="jp-carousel-comment-form-commenting-as">
<fieldset>
<label for="jp-carousel-comment-form-email-field">Email</label>
<input type="text" name="email" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-email-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-author-field">Name</label>
<input type="text" name="author" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-author-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-url-field">Website</label>
<input type="text" name="url" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-url-field">
</fieldset>
</div>
<input type="submit" name="submit" class="jp-carousel-comment-form-button" id="jp-carousel-comment-form-button-submit" value="Post Comment">
</div>
</form>Text Content
Skip to content
Search for your darkweb exposure
Main Menu
* Home
* About Us
* Products
* Cyble Vision
* AmiBreached
* Cyble Hawk
* Odin (Internet Scanning)
* The Cyber Express
* Newsroom
* Research Reports
* Careers
* Partner with us
* Request Demo
TROJANIZED APPLICATION PREYING ON TEAMVIEWER USERS
* July 13, 2023
THREAT ACTOR MODIFIES TEAMVIEWER INSTALLER TO DELIVER NJRAT
Cyble Research & Intelligence Labs (CRIL) have been monitoring several instances
where well-known applications and tools have been exploited as a delivery
mechanism for malicious files. Threat Actors (TAs) leverage the trust associated
with these applications to deceive users into downloading and executing them.
We encountered a notable incident involving the deceptive utilization of a
TeamViewer application file. TeamViewer, a widely adopted software application,
facilitates remote control, desktop sharing, online meetings, file transfers,
and collaborative work across various devices.
Our preliminary investigation uncovered a significant correlation between the
dissemination of the njRAT malware and a favored technique employed by Threat
Actors (TAs). This technique entails exploiting the trust and prevalence of
popular and legitimate applications such as TeamViewer, WireShark, Process
Hacker, and others.
njRAT, commonly called Bladabindi, is a type of Remote Access Trojan (RAT)
initially uncovered in 2012. This malware is primarily employed in attacks aimed
at organizations located in Middle Eastern nations.
njRAT can perform various malicious activities such as logging keystrokes,
taking screenshots, stealing passwords, exfiltrating data, accessing webcams and
microphones, downloading additional files, etc.
INITIAL INFECTION
In addition to its typical distribution methods, such as phishing campaigns,
cracked software on filesharing websites, and drive-by downloads, this njRAT
sample is also being distributed through trojanized applications.
TECHNICAL ANALYSIS
Technical Content! Subscribe to Unlock
Sign up and get access to Cyble Research and Intelligence Labs' exclusive
contents
Email
Unlock This Content
The malware sample we have identified is a 32-bit Smart Installer, with a SHA
256 hash of “224ae485b6e4c1f925fff5d9de1684415670f133f3f8faa5f23914c78148fc31”
(shown in the figure below).
Figure 1 – Static file Details
Upon execution, the aforementioned installer drops two files in the Windows
folder, and the names of these files include the term “TeamViewer”. One of the
files dropped in the Windows folder is njRAT, while the other is a genuine,
TeamViewer application, as shown in the figure below.
Figure 2 – Files dropped in the Windows folder
After dropping the files in the Windows folder, the installer triggers the
execution of “TeamViewer Starting.exe” (njRAT) and subsequently launches the
legitimate “teamviewer.exe” application.
The figure below displays the user prompt window, providing the option to
proceed with the team viewer installation.
Figure 3 – Teamviewer Installation wizard
Simultaneously, the njRAT initiates its installation process by copying itself
into the “AppData\Local\Temp” directory with the filename “system.exe“. This
technique is designed to make the malicious process less noticeable to the end
user by using a filename that resembles a legitimate Windows file. It will then
execute the newly dropped file as a new process. The below figure illustrates
the sequence of processes involved when executing the Trojanized TeamViewer
installer.
Figure 4 – Process chain
Once the new process is launched, njRAT creates a mutex, or mutual exclusion
object, as a locking mechanism to prevent two threads from writing to shared
memory simultaneously and to avoid reinfection of the victim.
The name of the mutex is “301b5fcf8ce2fab8868e80b6c1f912fe“. The mutex name and
other configurations are hardcoded into the njRAT binary.
The below image shows the complete configuration details of the njRAT.
Figure 5 – njRAT configuration
Then, the njRAT modifies the value of the “SEE_MASK_NOZONECHECKS” environment
variable in the Windows registry to 1, thereby adjusting the security settings.
This alteration allows the malware to operate unhindered, bypassing any security
warning prompts or dialog boxes that would typically be presented to the end
user.
The image below shows the registry value added by njRAT to adjust the security
settings in the victim’s machine.
Figure 6 – Changing security settings in the registry
Afterwards, the RAT creates a firewall regulation that allows for upcoming
communication with its Command and Control (C&C) server.
The below figure shows the code used by njRAT to add the firewall rule.
Figure 7 – Firewall rule
PERSISTENCE
Then the malware implements two distinct methods to achieve persistence. The
first one involves creating two autorun entries in the system registry:
1. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value name: 301b5fcf8ce2fab8868e80b6c1f912fe
Value data: “C:\Users\[User Profile]\AppData\Local\Temp\System.exe”
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value name: 301b5fcf8ce2fab8868e80b6c1f912fe
Value data: “C:\Users\[User Profile]\AppData\Local\Temp\System.exe”
Meanwhile, the second method entails copying itself to the startup directory:
“C:\Users\[User Profile]\AppData\Roaming\Microsoft\Windows\Start
Menu\Programs\Startup\301b5fcf8ce2fab8868e80b6c1f912fe.exe”
By doing so, the malware can ensure that it automatically runs every time the
system boots up. The below image shows the file located in the startup folder.
Figure 8 – Adding Self copy in the startup location
COLLECTION
After the initial configurations are successfully completed, the njRAT engages
in keylogging activity. To achieve this, the RAT creates a dedicated thread that
establishes an ongoing loop to continuously monitor keystrokes. This monitoring
functionality is enabled by utilizing the GetAsyncKeyState function, which
effectively detects any key presses.
Whenever a key press is detected, the thread captures and stores the
corresponding key information in a newly generated file named “System.exe.tmp“.
This file is specifically created in the “%appdata%/temp” location. The thread
operates continuously with a delay interval of 1 ms between each iteration,
allowing for ongoing monitoring of keystrokes and storage of the captured data.
The figure below shows the njRAT’s keylogger function code.
Figure 9 – Keylogger function and values
In addition to capturing keystrokes, the RAT also collects various system
information such as the Windows operating system version, the service pack, the
current date, the username, information about webcams, system architecture, and
specific registry keys. The gathered data is encoded using the base64 encoding
scheme to facilitate exfiltration.
The image below shows the partial function code for collecting system
information for exfiltration.
Figure 10 – RAT collects the System information for exfiltration
Once the data is collected, the malicious sample establishes a connection with a
Command and Control (C&C) server to transmit the gathered information. The C&C
address and listening port are preconfigured within the file, as indicated in
Figure 5.
Subsequently, njRAT enters a dormant state, awaiting instructions from the C&C
server. The malware compares the received command against a predetermined set of
hardcoded commands and proceeds to execute the specified action accordingly.
Before the user gains access to the TeamViewer application, the RAT discreetly
conducts malicious operations within the compromised system.
The following image displays the TeamViewer window following the RAT operation.
Figure 11 – Teamviewer Window
CONCLUSION
Despite being in existence for almost a decade, njRAT remains a favored remote
administration tool among TAs. Additionally, the method of distributing njRAT
demonstrates the resourcefulness and adaptability of TAs in effectively
spreading malware through widely-used applications. This kind of malware attack
poses a significant threat to the affected systems’ privacy, security, and
integrity. Cyble Research and Intelligence Labs (CRIL) actively monitors
Trojanized applications to keep our readers informed about them.
RECOMMENDATIONS
* Downloading any tools or applications only from the official website. Avoid
downloading it from third-party websites or sources.
* Turn on the automatic software update feature on your computer, mobile, and
other connected devices wherever possible and pragmatic.
* Use a reputed anti-virus and Internet security software package on your
connected devices, including PC, laptop, and mobile.
* Refrain from opening untrusted links and email attachments without verifying
their authenticity.
MITRE ATT&CK® TECHNIQUES
Tactic Technique ID Technique Name Execution T1204
T1059 User Execution
Command and Scripting Interpreter
Persistence T1547 Boot or Logon AutoStart ExecutionDefense
EvasionT1036MasqueradingDiscovery T1082
T1057
T1012System Information Discovery
Process Discovery
Query RegistryCollectionT1056Input CaptureCommand and ControlT1071
T1095Application Layer Protocol
Non-Application Layer Protocol
INDICATORS OF COMPROMISE (IOCS)
Indicators Indicator
Type Description 224ae485b6e4c1f925fff5d9de1684415670f133f3f8faa5f23914c78148fc31
9b9539fec7d0227672717e126a9b46cda3315895
11aacb03c7e370d2b78b99efe9a131ebSha256
Sha1
Md5 Trojanized
Teamviewer 9bcb093f911234d702a80a238cea14121c17f0b27d51bb023768e84c27f1262a
b2f847dce91be5f5ea884d068f5d5a6d9140665c
8ccbb51dbee1d8866924610adb262990Sha256
Sha1
Md5 system.exe/ TeamViewer
Starting.exe hxxp://kkk[.]no-ip[.]biz URLC&C
RECENT BLOGS
TROJANIZED APPLICATION PREYING ON TEAMVIEWER USERS
July 13, 2023
MICROSOFT ZERO DAY VULNERABILITY CVE-2023-36884 BEING ACTIVELY EXPLOITED
July 12, 2023
LEGION STEALER TARGETING PUBG PLAYERS
July 11, 2023
PrevPreviousMicrosoft Zero Day Vulnerability CVE-2023-36884 Being Actively
Exploited
July 13, 2023
Cyble Research & Intelligence Labs analyzes a trojanized version of the
TeamViewer application and how it distributes njRAT.
Read More »
July 12, 2023
CRIL analyzes the impact of Zero-Day Exploit for CVE-2023-36884 in cyber
espionage and ransomware operations.
Read More »
July 11, 2023
CRIL analyzes how a fake PUBG Bypass Hack GitHub Repository serves as a gateway
for Legion Stealer malware distribution.
Read More »
About Us
Cyble is a global threat intelligence SaaS provider that helps enterprises
protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus
is to provide organizations with real-time visibility to their digital risk
footprint.
Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been
recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch
In 2020.
Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore,
Dubai and India, Cyble has a global presence. To learn more about Cyble,
visit www.cyble.com.
Cyble is a global threat intelligence SaaS provider that helps enterprises
protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus
is to provide organizations with real-time visibility to their digital risk
footprint.
Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been
recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch
In 2020.
Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore,
Dubai and India, Cyble has a global presence. To learn more about Cyble,
visit www.cyble.com.
Offices:
We’re remote-friendly, with office locations around the world:
San Francisco, Atlanta, Rome,
Dubai, Mumbai, Bangalore, Singapore, Jakarta, Sydney, and Melbourne.
UAE:
Cyble Middle East FZE
Suite 1702, Level 17,
Boulevard Plaza Tower 1,
Sheikh Mohammed Bin Rashid Boulevard,
Downtown Dubai, Dubai, UAE
contact@cyble.com
+971 (4) 4018555
USA :
Cyble, Inc.
11175 Cicero Drive
Suite 100
Alpharetta, GA 30022
contact@cyble.com
+1 678 379 3241
India:
Cyble Infosec India Private Limited
A 602, Rustomjee Central Park, Andheri Kurla Road Chakala,
Andheri (East), Maharashtra
Mumbai-400093, India
contact@cyble.com
+1 678 379 3241
Australia :
Cyble Pty Limited
Level 32, 367 Collins Street
Melbourne VIC 3000
Australia
contact@cyble.com
+61 3 9005 6934
Singapore:
Cyble Singapore Private Limited
38 North Canal Road, Singapore 059294
contact@cyble.com
+1 678 379 3241
© 2023. Cyble Inc. All Rights Reserved
Twitter Linkedin
Scroll to Top
Loading Comments...
Write a Comment...
Email Name Website
We use cookies to ensure that we give you the best experience on our website. If
you continue to use this site we will assume that you are happy with it.Ok
×
We Value Your Privacy
Settings
NextRoll, Inc. ("NextRoll") and our advertising partners use cookies and similar
technologies on this site and use personal data (e.g., your IP address). If you
consent, the cookies, device identifiers, or other information can be stored or
accessed on your device for the purposes described below. You can click "Allow
All" or "Decline All" or click Settings above to customize your consent.
NextRoll and our advertising partners process personal data to: ● Store and/or
access information on a device; ● Create a personalized content profile; ●
Select personalised content; ● Personalized ads, ad measurement and audience
insights; ● Product development. For some of the purposes above, our advertising
partners: ● Use precise geolocation data. Some of our partners rely on their
legitimate business interests to process personal data. View our advertising
partners if you wish to provide or deny consent for specific partners, review
the purposes each partner believes they have a legitimate interest for, and
object to such processing.
If you select Decline All, you will still be able to view content on this site
and you will still receive advertising, but the advertising will not be tailored
for you. You may change your setting whenever you see the Manage consent
preferences on this site.
Decline All
Allow All
Manage consent preferences