Hackers use legit remote IT support tool in spy attack

Summary:A useful admin tool becomes a spy's best friend.

Hackers have been discovered using a tampered-with version of a legitimate remote access tool to target activists, industrial, research and diplomatic targets.

Hungary-based security firm CrySys Lab discovered an attack on diplomatic targets in Hungary which installs legitimate software first, but then remotely alters the program to enable it spy on victims.

The ongoing campaign uses a legitimate software package from a German vendor that offers remote control, file transfer and other administrative tools for Apple, Windows, Linux, iOS and Android.

Kaspersky Lab has provided its own detailed analysis (PDF) of the "TeamSpy crew" behind the attack, which it says has been in operation since 2008, and has hit a variety of targets, ranging from activists and political figures to heavy industry and national information agencies.

"The attackers control the victim's computers remotely by using [a] legal remote administration tool," Kaspersky Lab explains in its own analysis of the surveillance kit.

"This application is signed with legitimate digital certificates and is used by more than 100 million users around the world. To avoid alerting the user that somebody is spying on him, the attackers dynamically patch [the program] in memory to remove all signs of its presence."

CrySys' report states that targets include a high-profile victim in Hungary, multiple victims in Iran, and the Ministry of Foreign Affairs of Uzbekistan. The company said it was asked to investigate the malware by the Hungarian National Security Authority (NBF).

Kaspersky also points to claims the malware was used in attacks on Belarusian pro-democracy activists last year. Charter 97, a pro-human rights news site in Belarus, labelled the malware "the KGB virus", however Kaspersky said it was unclear if there was any connection between these attacks and the "TeamSpy crew", given that the exploits used have been commercially available for some time.

The malware searches for multiple document formats, disk images and file names that suggest they contain passwords or encryption keys.

Kaspersky's analysis focussed on two TeamSpy command and control servers at "politnews.org" and "bannetwork.org", which contain scripting that suggest the attackers were Russian-speaking. Two other domain names "bulbanews.org" and "kartopla.org" have special significance to Russian-speakers.

"The words "bulba" and "kartopla" are written in Latin-Belarusian and Latin-Ukrainian, both words mean "a potato". Interestingly, among ex-USSR countries, Belarusians are jokingly called "bulbashi" which means "potato people" due to the popularity of this vegetable in local agriculture," Kaspersky notes in the report.

The domains were registered in 2004 and since 2010 have been hosted at Russian provider Host Telecom.

Kaspersky notes that the operation nets victims primarily via "watering hole" attacks, which place Java, PDF exploits and the Eleonore Exploit Pack on sites likely to be visited by intended targets.

The TeamSpy servers are also using 'ReaderRSSPhp 1.0', a Russian open source tool designed to read and display RSS feeds, to provide news aggregation channels serving content relevant to their victims' favourite websites, according to Kaspersky.

Topics: Security, EU

About

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, s... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.