Hackers use legit remote IT support tool in spy attack

Hackers use legit remote IT support tool in spy attack

Summary: A useful admin tool becomes a spy's best friend.

TOPICS: Security, EU

Hackers have been discovered using a tampered-with version of a legitimate remote access tool to target activists, industrial, research and diplomatic targets.

Hungary-based security firm CrySys Lab discovered an attack on diplomatic targets in Hungary which installs legitimate software first, but then remotely alters the program to enable it spy on victims.

The ongoing campaign uses a legitimate software package from a German vendor that offers remote control, file transfer and other administrative tools for Apple, Windows, Linux, iOS and Android.

Kaspersky Lab has provided its own detailed analysis (PDF) of the "TeamSpy crew" behind the attack, which it says has been in operation since 2008, and has hit a variety of targets, ranging from activists and political figures to heavy industry and national information agencies.

"The attackers control the victim's computers remotely by using [a] legal remote administration tool," Kaspersky Lab explains in its own analysis of the surveillance kit.

"This application is signed with legitimate digital certificates and is used by more than 100 million users around the world. To avoid alerting the user that somebody is spying on him, the attackers dynamically patch [the program] in memory to remove all signs of its presence."

CrySys' report states that targets include a high-profile victim in Hungary, multiple victims in Iran, and the Ministry of Foreign Affairs of Uzbekistan. The company said it was asked to investigate the malware by the Hungarian National Security Authority (NBF).

Kaspersky also points to claims the malware was used in attacks on Belarusian pro-democracy activists last year. Charter 97, a pro-human rights news site in Belarus, labelled the malware "the KGB virus", however Kaspersky said it was unclear if there was any connection between these attacks and the "TeamSpy crew", given that the exploits used have been commercially available for some time.

The malware searches for multiple document formats, disk images and file names that suggest they contain passwords or encryption keys.

Kaspersky's analysis focussed on two TeamSpy command and control servers at "politnews.org" and "bannetwork.org", which contain scripting that suggest the attackers were Russian-speaking. Two other domain names "bulbanews.org" and "kartopla.org" have special significance to Russian-speakers.

"The words "bulba" and "kartopla" are written in Latin-Belarusian and Latin-Ukrainian, both words mean "a potato". Interestingly, among ex-USSR countries, Belarusians are jokingly called "bulbashi" which means "potato people" due to the popularity of this vegetable in local agriculture," Kaspersky notes in the report.

The domains were registered in 2004 and since 2010 have been hosted at Russian provider Host Telecom.

Kaspersky notes that the operation nets victims primarily via "watering hole" attacks, which place Java, PDF exploits and the Eleonore Exploit Pack on sites likely to be visited by intended targets.

The TeamSpy servers are also using 'ReaderRSSPhp 1.0', a Russian open source tool designed to read and display RSS feeds, to provide news aggregation channels serving content relevant to their victims' favourite websites, according to Kaspersky.

Topics: Security, EU

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Hmmm....

    This is the second time I've seen a commonly used remote access tool be used by hackers (the first I personally came across was a LogMeIn account left on a server.) This hack of TeamViewer is especially annoying to me since I was leaning towards their "Quicksupport" version, which doesn't need to get installed, as a possible safe method for this type of remote access. It's unclear if that version of the program can be compromised this way since it generates random access codes every time it runs, but I suppose a screen reading, Captcha-breaking type virus component could easily defeat that.

    I have to wonder if any centralized remote access program like LogMeIn, WebEx, TeamViewer, etc., can be exploited this way.....
  • Remote Assistance

    I used to use logmein service. It was good when I was mobile and needed to provide support. Worked great on the GSM phone. Because I could also talk with the client at the same time.

    Overtime I realized that it would only be a matter of time for this to be exploited. So I switch to Microsofts built in "Remote Assistance" and it works great.
    Brendon Jarrett