Priya PatelTLDR:
Cybersecurity researchers at Huntress recently discovered that hackers are abusing the remote access software TeamViewer to launch ransomware attacks. TeamViewer is attractive to threat actors because of its widespread use and the remote control it provides over systems. In recent incidents, the threat actors used TeamViewer to gain access to two endpoints, but were prevented from causing significant damage by security software. The attackers used TeamViewer for tasks such as deploying crypto miners and exfiltrating data using curl.exe. The ransomware attack began with a DOS batch file, which then executed a “rundll32.exe” command. One endpoint was affected by the ransomware, while security software on the other endpoint blocked the threat actor’s attempts to encrypt files. It is important for organizations to track physical and virtual endpoints and installed apps to ensure proper security.
Key Points:
- Hackers are exploiting TeamViewer to launch ransomware attacks
- TeamViewer provides remote access to systems, making it an attractive target for threat actors
- Hackers have used TeamViewer for deploying crypto miners and exfiltrating data
- The ransomware attack begins with a DOS batch file and a “rundll32.exe” command
- Organizations should track physical and virtual endpoints and installed apps for proper security
Cybersecurity researchers at Huntress have recently discovered that hackers are abusing the remote access software TeamViewer to launch ransomware attacks. TeamViewer provides remote access to systems, allowing users to control them from a different location. This feature makes TeamViewer an attractive target for threat actors who seek to exploit vulnerabilities and conduct social engineering attacks. In recent incidents, the threat actors used TeamViewer to gain access to two endpoints, A and B. The cybersecurity analysts at Huntress identified that a common source endpoint name was connecting to both endpoints with timestamps for sessions. In endpoint A, legitimate admin accesses were noted, while endpoint B saw the threat actor’s access in a 10-minute session. The previous incidents have linked TeamViewer to threat actors deploying crypto miners and employing curl.exe for data exfiltration.
The first ransomware distribution on both endpoints began with a DOS batch file, “PP.bat,” which was launched from the user’s desktop. This batch file ran a “rundll32.exe” command that executed a specific DLL file. The impact of the ransomware on endpoint A was restricted solely to that endpoint. However, security software on endpoint B blocked the threat actor, leading to multiple failed attempts to encrypt files. The log messages revealed the quarantine of a DLL file, which prompted the threat actor to make further attempts to launch another file that was eventually quarantined.
It is important for organizations to track their assets by encompassing physical and virtual endpoints and installed applications. This ensures that proper security measures can be implemented to protect against malicious actors. The use of TeamViewer and other remote access software should be carefully monitored to prevent unauthorized access and potential security breaches.
