Recently, Check Point researchers spotted a targeted attack against officials within government finance authorities and representatives in several embassies in Europe. The attack, which starts with a malicious attachment disguised as a top secret US document, weaponizes TeamViewer, the popular remote access and desktop sharing software, to gain full control of the infected computer.
By investigating the entire infection chain and attack infrastructure, we were able to track previous operations that share many characteristics with this attack’s inner workings. We also came across an online avatar of a Russian speaking hacker, who seems to be in charge of the tools developed and used in this attack.
In this article, we will discuss the infection chain, those targeted, the tools used and a possible attribution to one of the hackers behind the attack.
The Infection Chain
The infection flow starts with an XLSM document with malicious macros, which is sent to potential victims via e-mail under the subject “Military Financing Program”:
Email subject: military financing program
File name: “Military Financing.xlsm”
Fig 1: Decoy document
The well-crafted document bears the logo of the U.S Department of State, and is marked as Top Secret. Although the attackers have worked hard to make the document appear convincing, they seem to have overlooked some Cyrillic artifacts (such as the Workbook name) that were left in the document, and could potentially reveal more information about the source of this attack.
Fig 2: The infection chain
Once the macros are enabled, two files are extracted from hex encoded cells within the XLSM document:
- A legitimate AutoHotkeyU32.exe program.
- AutoHotkeyU32.ahk→an AHK script which sends a POST request to the C&C server and can receive additional AHK script URLs to download and execute.
- Three different AHK scripts are awaiting on the server for the next stage:
- hscreen.ahk: Takes a screenshot of the victim’s PC and uploads it to the C&C server.
- hinfo.ahk: Sends the victim’s username and computer information to the C&C server.
- htv.ahk: Downloads a malicious version of TeamViewer, executes it and sends the login credentials to the C&C server.
The malicious TeamViewer DLL (TV.DLL) is loaded via the DLL side-loading technique, and is used to add more “functionality” to TeamViewer by hooking windows APIs called by the program.
Modified functionality includes:
- Hiding the interface of TeamViewer, so that the user would not know it is running.
- Saving the current TeamViewer session credentials to a text file.
- Allowing the transfer and execution of additional EXE or DLL files.
Fig 3: MoveFileW function hook: adds payload “execute” and “inject” functionality.
The following is a demonstration of how it actually works:
Fig 4: Remote payload execution demo
As described in the infection flow, one of the first uses of the AutoHotKey scripts is to upload a screenshot from the compromised PC.
The directory which those screenshots were uploaded to was left exposed, and could have been viewed by browsing to the specific URL:
Fig 5: Open directory with victims’ screenshots
However, those screenshot files were deleted periodically from the server, and eventually the “open directory” view was disabled.
Until that time, we were able to ascertain some of the victims of these attacks, as most of the screenshots included identifying information.
From the targets we have observed in our own telemetry, as well as the information we have gathered from the server, we were able to compose a partial list of countries, where officials were targeted:
It is hard to tell if there are geopolitical motives behind this campaign by looking solely at the list of countries it was targeting, since it was not after a specific region and the victims came from different places in the world.
Nevertheless, the observed victims list reveals a particular interest of the attacker in the public financial sector, as they all appear to be handpicked government officials from several revenue authorities.