Value 1 = to_uppercase(crc32( HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid)) The environment hash is computed as an MD5 hash of string created by concatenating the following five values:
The C&C communication thread regularly makes a GET request to /?id=&stat=. This window is not shown at all as an effect of hooking FindWindow, RegisterClass, and ShowWindow.įinally, we will analyze the two threads. It is important to note the nine-digit number (captured by the hook of RegSetValueKeyEx) and the four-digit number (overridden by the registry setting set by the hook of GetCommandLine). When the RAT is run normally and is not hijacked by malware, a window like the screenshot shown in Figure 17 will appear. The important hook functions of the decrypted function
#Teamviewer previous versions password#
Sets command-line parameters to start the RAT as a hidden process in the background, sets the connection password stored in registry to a known fixed password, and starts a thread responsible for killing task manager and process explorer It then starts two threads, a C&C communication thread and an idleness monitoring thread.Įnsures that the RAT’s window is not shownĭisables the log file that the RAT creates by default The following table shows the important hooked functions and their effects on the RAT:Ĭhanges the registry using the RAT configuration from \ast\SS to \ast\SS1Įxtracts the RAT’s ID when it is saved to the registry. The first decrypted function is responsible for resolving the API function addresses, while the second decrypted function is responsible for hooking various functions and altering the default behavior of the RAT. From this URL address, the domain part is used as a key for another decryption - this time the decryption of part of the DLL’s executable code, since a part of the DLL is a self-modifying code. Otherwise, if the value of the first byte in the config file is 0x00, it means that the config file is encrypted with a key derived from the SOFTWARE\Microsoft\Cryptography\MachineGuid value.ġ) The CRC32 checksum of the input (.bmp file) is computed.Ģ) The checksum is converted to a hexadecimal string (eight characters), and all characters are converted to uppercase.Ĥ) The hexadecimal string representation of the hash (32 characters) is used as the RC4 password to decrypt the config file.Īfter decryption, the configuration file contains the URL address of the command-and-control (C&C) server. If its value is 0x01, it means that the malware runs for the first time and the config file is encrypted with a key derived from the bitmap file. Initially, the first byte of the config file is checked. The DLL is responsible for decrypting the config file. Figures 1 to 4 are some examples of these fake websites.
The dropper poses as a fake cryptocurrency wallet, miner, or surfing plug-in. The malware dropper of SpyAgent is distributed via fake cryptocurrency-related websites that are usually in the Russian language. The malware sets the access password to a fixed one, so that merely knowing the RAT’s ID is enough for the attacker to successfully connect to the infected machine. The malicious DLL then begins reporting the RAT’s ID, which the malware operator needs to connect to and control the infected machine.
#Teamviewer previous versions windows#
This results in the RAT windows being hidden from a user. This DLL hooks and patches various API functions called by the RAT. This involves the exploit of a DLL sideloading vulnerability, which causes a malicious DLL to load. We’ve observed a new cryptocurrency related campaign that abuses a legitimate Russian RAT known as Safib Assistant via a newer version of the malware called SpyAgent. While previous versions of the malware have been covered by other researchers, our blog entry focuses on the malicious actor’s latest attacks.
We have been tracking a campaign involving the SpyAgent malware that abuses well-known remote access tools (RATs) - namely TeamViewer - for some time now.