- Russian hackers are targeting embassies in Europe via a trojanized spin of TeamViewer.
- The actors seem to know somehow who are working on the financial departments, as they focus on these employees.
- The bait is a document that supposedly contains confidential US military financing information.
Check Point researchers warn of an ongoing campaign that targets high standing officials, representatives of financial institutions, and several embassies in Europe. The malicious actors are sending a document in the form of an attachment which allows them to download and install the TeamViewer remote access application on the infected system and then utilize it to take full control of victim’s computer. According to the researchers, the trace evident points to Russian hackers who have authored their own attack tools.
When using a document as a decoy make sure you’re making it a good one, and in the case of the “FINTEAM” campaign, the actors thought that they should go full-on as they are targeting high-profile agencies. This is why the document that starts the infection is supposedly related to a US military financing program, featuring the logo of the US Department of State, and the “top secret” classification. The XLSM document is of course a fake one, and the whole point is to run the malicious macro code that hides inside it. If the user is intrigued by the attachment and enabled the macro, the code runs leading to the execution of an AutoHotKeyU32.exe file, which sends a POST request to the C&C server. The command server sends back a script with additional commands, and a script that downloads and executes the TeamViewer app.
The scripts that run at this point enable the malware to take screenshots of the victim’s computer and send them to the C&C, as well as to gather harderware and user information and send them to the actors as well. The TeamViewer that is downloaded is not a standard version of the software, as the hackers have modified it to serve them as needed. For example, its interface is hidden from the victim, so they can’t see that it’s running on their system. This trojanized TeamViewer version also possesses the capacity to delete its user logs, or even itself, possibly to avoid tracing.
Check Point’s telemetry data shows that the embassies that have been hit thus far include those of Nepal, Guyana, Kenya, Italy, Liberia, Bermuda, and Lebanon, while the computers that were targeted show a specific aim at employees who work in the financial sector. The motives of the attackers are thought to be entirely financial, as there’s no political connection between the targeted countries and Russia.