Hackers use legit remote IT support tool in spy attack

Hackers have been discovered using a tampered-with version of a legitimate remote access tool to target activists, industrial, research and diplomatic targets.

Hungary-based security firm CrySys Lab discovered an attack on diplomatic targets in Hungary which installs legitimate software first, but then remotely alters the program to enable it spy on victims.

The ongoing campaign uses a legitimate software package from a German vendor that offers remote control, file transfer and other administrative tools for Apple, Windows, Linux, iOS and Android.

Kaspersky Lab has provided its own detailed analysis (PDF) of the "TeamSpy crew" behind the attack, which it says has been in operation since 2008, and has hit a variety of targets, ranging from activists and political figures to heavy industry and national information agencies.

"The attackers control the victim's computers remotely by using [a] legal remote administration tool," Kaspersky Lab explains in its own analysis of the surveillance kit.

"This application is signed with legitimate digital certificates and is used by more than 100 million users around the world. To avoid alerting the user that somebody is spying on him, the attackers dynamically patch [the program] in memory to remove all signs of its presence."

CrySys' report states that targets include a high-profile victim in Hungary, multiple victims in Iran, and the Ministry of Foreign Affairs of Uzbekistan. The company said it was asked to investigate the malware by the Hungarian National Security Authority (NBF).

Kaspersky also points to claims the malware was used in attacks on Belarusian pro-democracy activists last year. Charter 97, a pro-human rights news site in Belarus, labelled the malware "the KGB virus", however Kaspersky said it was unclear if there was any connection between these attacks and the "TeamSpy crew", given that the exploits used have been commercially available for some time.

The malware searches for multiple document formats, disk images and file names that suggest they contain passwords or encryption keys.

Kaspersky's analysis focussed on two TeamSpy command and control servers at "politnews.org" and "bannetwork.org", which contain scripting that suggest the attackers were Russian-speaking. Two other domain names "bulbanews.org" and "kartopla.org" have special significance to Russian-speakers.

"The words "bulba" and "kartopla" are written in Latin-Belarusian and Latin-Ukrainian, both words mean "a potato". Interestingly, among ex-USSR countries, Belarusians are jokingly called "bulbashi" which means "potato people" due to the popularity of this vegetable in local agriculture," Kaspersky notes in the report.

The domains were registered in 2004 and since 2010 have been hosted at Russian provider Host Telecom.

Kaspersky notes that the operation nets victims primarily via "watering hole" attacks, which place Java, PDF exploits and the Eleonore Exploit Pack on sites likely to be visited by intended targets.

The TeamSpy servers are also using 'ReaderRSSPhp 1.0', a Russian open source tool designed to read and display RSS feeds, to provide news aggregation channels serving content relevant to their victims' favourite websites, according to Kaspersky.