In a recent report by Huntress, it has been revealed that cybercriminals are once again utilizing TeamViewer, a legitimate remote access tool, for initial penetration on corporate devices and attempted deployment of encryptions.
This is not the first time that a large-scale use of TeamViewer has been observed by attackers. In March 2016, attackers deployed the Surprise Mrown Program, leading representatives of TeamViewer to assure the public that unauthorized access was made possible due to leaks of user accounting data, and not a vulnerability in the remote access program itself.
At that time, the software provider explained that since TeamViewer is widely used, many individuals online attempt to gain access to target systems using compromised account data to determine if a TeamViewer account with the same data exists.
Returning to the current malicious campaign, it is clear that cybercriminals are once again utilizing TeamViewer. In the attack observed by Huntress, the attackers breached the target system using TeamViewer and attempted to deploy a malicious payload using Pp.bat’s battleship, which launched a malicious DLL file through the Rundll32.exe command.
While the specific attack examined by experts was unsuccessful, antivirus software left by the attackers provided enough “bread crumbs” for further investigation.
Huntress was unable to determine which extortion group was responsible for these attacks, but Lockbit encryptions, created using the Lockbit Black builder, were identified in September 2022.
Although it remains unclear how the hackers gained control of the TeamViewer instances this time, representatives of the company emphasized the importance of adhering to basic cybersecurity principles to protect against such attacks. This includes using complex passwords, implementing two-factor authentication, utilizing whitelists, and regularly updating software. These measures are crucial in preventing unauthorized access and safeguarding company networks from compromise.