Several reports have surfaced online indicating that attackers are distributing malware at an unprecedented rate to take advantage of legitimate remote control programs like TeamViewer or RMS to access a victim’s computer and do bad things.
Cybercriminals have long targeted big firms in diverse industries through individuals since the turn of the previous year, and the ongoing malware campaign seems to be a continuation of their nefarious activities.
- In most cases, we found out that the primary goal of the perpetrators is to steal money or information from the targeted organization after they have successfully compromised restrictions or security with the help of the remote administration software.
- More disturbing is the realization that the attackers have been coming up with several techniques immune to some detection setups in their host system. Subsequently, once the malware arrives on a PC and settles down, the attacker becomes able to peruse through the computer to find purchase documents and similar items or information that will prove beneficial to their activities.
- As expected, after the criminals have obtained as many details as they need, they move on to commit financial fraud in any form. For example, they might attempt to make payment online for various items by spoofing the bank details of their victims.
- The volume or scale of the attacks has ensured that companies or even several divisions in a single organization fall victims to them. Here, we are referring to firms or departments that have something to do with the following fields: Manufacturing; Oil and gas; Metallurgy; Engineering; Energy; Construction; Mining; Logistics.
- If we tried to be less economical with the details, we would say that post-exploitation techniques involving privilege escalation or access to local administrator privileges are often in play. Such acts are usually followed up by the theft of user authentication data for financial software and services.
Attackers often pack the malware they deploy with the following:
- Extensive spyware capabilities to aggressively monitor the operations carried out by their victims or the activities they are involved in.
- Other remote organization utilities that typically expand their control of compromised systems.
- Copies or other bits of itself to exploit the operating system further using selected or known security vulnerabilities.
Attacker’s mode of operation involving TeamViewer and RMS (Remote Manipulator System)
- We would like to assume that you are familiar with how attackers go about spreading malware through phishing. They launch an email campaign with an attachment or a disguised link and send it to as many users as possible. They often expect that a small pool of individuals will click on the attachment to open and run it or open the webpage to follow up.
- We recently noticed that the malware used in such attacks often appears as if it is a legitimate remote administration software like TeamViewer or RMS. Users, unsuspecting of its pure form or intentions, install it on their devices and grant it full power or privileges.
- Once the infected file has landed on its host’s PC, things take off swiftly. To order the malware into action, the attackers move to employ special techniques which depend on what kind of PC has fallen victim, the mode of contamination, and other variables. Sometimes they poison the operating system directly or create unique scripts for the Windows command interpreter.
- In the case of the technique involving the Windows command interpreter, the script acts to copy malicious files into the computer. It also launches the legitimate Remote Manipulator System/Remote Utilities (RMS) software. Attackers use such tools, anyway, to control the infected system. Finally, after it completes the job it was created for, the script deletes itself automatically.
- A similar sequence of events occurs when the attack involves the TeamViewer program in place of RMS. We took note of some differences, though, however few they might be in number. For example, attackers use TeamViewer directly to transfer the stolen data here, but Email remains the preferred mode of sending data in cases that have something to do with RMS.
- When the hacking operations involve RMS, the malware itself launches the RMS app and uses this opportunity to load DLL files required for some of the program’s activities. If it succeeds with this act, then it is likely to control the victim’s printer. Invariably, it loads enough Dynamic-Link Library files insecurely for us to consider the entire process a DLL hijacking attack.
In case you are yet to notice, if the attackers successfully modify the executable files for the remote administration tools, they gain enough powers, privileges, rights or permissions to execute just one or a number of the following operations:
- Remote control or managing of the affected computer which provides the background or setup for the vast majority of their nefarious activities.
- Transfer of data or information to the infected PC and away from it.
- Control or manipulation of the power supply on the victim’s computer or infected network.
- Remote access and control of the processes of applications that are running.
- Access to shell or command line tools.
- Ability to capture screenshots of the screen of the affected computer or record videos of its state.
- Extensive control of hardware components connected to the affected computer. For example, the attackers might be able to record audio or video from a peripheral like an external microphone or camera.
- Access and control of the system registry of the affected device.
The list we provided is not an extensive one by any definition. A very skilled attacker might manage to obtain an unprecedented volume of data or exert an incredible level of control on a computer. There is a common theme associated with most attackers though.
- The attackers almost always share the names or credentials of the machines they compromised, the username of their victims, the RMS machine’s Internet ID, and so on with themselves or on the web. They often decrypt the stated classes of information from the configuration files they are capable of accessing, and most times, their preferred means of communication is via email.
- Security experts and researchers have investigated the course of action of the malware in view. One important thing they took note of is the fact that some Windows APIs themselves might be culpable in allowing the attackers to hide TeamViewer from Windows detection schemes.
- Similarly, some malware files receive protection against detection, and unfortunately, this setup allows them to control TeamViewer startup parameters to their advantage.
We have come to observe the behavior of malware after they launch the configuration files. The following details or parameters are often crucial:
- The password or credentials required to exert control over the affected system remotely.
- The URL or web address leading to the command-and-control server the attackers employ.
- Specific parameters of the service under which they plan to install TeamViewer.
- The User-Agent field of the HTTP header applied in requests transferred between the system and the command-and-control server
- The VPN parameters or settings for TeamViewer and many others.
Is TeamViewer safe to use?
Yes, TeamViewer is safe to use.
Is TeamViewer secure?
This question is relatively difficult to answer. We could say yes it is secure because, in theory, you can beef up the protection on it. However, we believe that its default settings are relatively insecure when compared to the competition it faces because the program favors ease of use and this preference comes with its own downsides.
It has enough history littered with problems though. For example, in 2016, many users complained of their computers being compromised through the TeamViewer application although it was mostly their fault. Towards the end of 2017, a severe vulnerability was identified in the TeamViewer program. Its developers were forced to issue an emergency fix for it.
Currently, we would like to assume that there are no security holes in the TeamViewer app. Nevertheless, attackers are still capable of compromising devices if their users do not have the right settings in place. To be fair, if we consider the reports of users targeted by attackers, it is easy to see that the victims were using an unsecured app.
Can hackers attack me through RMS?
Yes, they can if your security is lax enough for them to get through. For example, if the attackers successfully compromise your user account due to a weak password, then they will gain access to your system. On the other hand, if you protective setup is in order, then it is highly unlikely that you will become a victim of attacks.
How to improve security when using TeamViewer?
We already established that TeamViewer does not employ strong forms of security by default since it does not want the average user to navigate through stringent security procedures or measures which may affect the usability or accessibility of its app. In reality, there is no shortage of security options.
- You can toggle on some features or functionalities or even tweak them to suit your taste, and this way, you will transform the TeamViewer set-up with lax security to one that is close to impenetrable. We will show you how to do this soon enough.
- You need to take note of a few things before you start playing with the parameters available. The first thing is that you have no obligation to use or employ every option or functionality that we suggest. Remember that we have limited knowledge about you or the things you do on your device, so only you can know what is best for you.
- We recommend that you balance your needs or workflow against the changes you make to avoid complications. For example,if you often use the TeamViewer app to connect to your own computer that is unattended to, then you must avoid turning off the feature that requires a user at the computer to accept the incoming TeamViewer request.
- One last thing. Depending on who installed TeamViewer for you or the means by which it ended up on the device you use, you might have to contact the individual or people that were involved in the first place. You might have hired a tech support firm to help you do the job, or a friend who troubleshoots and maintains your computer might have assisted. They need to know about the changes.
Now, here is the list of things you must do to improve the security on TeamViewer:
- Close the TeamViewer application when you are not using it and open it only when you need it.
- Use a strong password. We cannot overemphasize the importance of this tip
- Enable two-factor authentication. This setup significantly increases the security for login credentials.
- Set the TeamViewer app to update itself automatically. This way, you get to do away with the risks associated with the running of old or outdated apps. The version of the program on your device becomes far less likely to have security vulnerabilities or holes.
- Turn off automatic startup and account assignment.
If you applied all the recommendations above, then you have already taken the simple protection on the TeamViewer app several levels up. We believe that most people will be comfortable with this. However, if your work with TeamViewer demands even greater security capabilities albeit restrictive ones, then you can continue with the list below:
- New parameters for the security section or menu: No Easy Access, Strong Passwords, and Whitelists.
- Advanced Options: you must set stricter controls for the Remote Access Functionalities.
We have come to the end of this guide. No doubt we have improved your awareness of threats and the issues at hand. We recommend that you download and run Auslogics Anti-Malware to enhance your computer’s security.
The knowledge you recently acquired will not mean anything if attackers manage to compromise your PC through other means, especially through those methods we did not have time to mention here. The fight against threats is an incredibly difficult job, and an extra line of defense to be provided by the recommended program is always welcome.