New ransomware assaults exploit TeamViewer to breach networks

Ransomware actors are as soon as once more utilizing TeamViewer to realize preliminary entry to group endpoints and try to deploy encryptors primarily based on the leaked LockBit ransomware builder.

TeamViewer is a reliable distant entry instrument used extensively within the enterprise world, valued for its simplicity and capabilities.

Unfortunately, the instrument can be cherished by scammers and even ransomware actors, who use it to realize entry to distant desktops, dropping and executing malicious information unhindered.

An identical case was first reported in March 2016, when quite a few victims confirmed within the BleepingComputer boards that their units have been breached utilizing TeamViewer to encrypt information with the Surprise ransomware.

“As TeamViewer is a broadly unfold software program, many on-line criminals try to go online with the information of compromised accounts, with a purpose to discover out whether or not there’s a corresponding TeamViewer account with the identical credentials,” defined the software program vendor on the time.

“If that is the case, chances are high they will entry all assigned units, with a purpose to set up malware or ransomware.”

TeamViewer focused once more

A brand new report from Huntress reveals that cybercriminals have not deserted these outdated methods, nonetheless taking on units through TeamViewer to attempt to deploy ransomware.

The analyzed log information (connections_incoming.txt) confirmed connections from the identical supply in each circumstances, indicating a standard attacker.

In the primary compromised endpoint, Huntress noticed within the logs a number of accesses by workers, indicating that the software program was actively utilized by the workers for reliable administrative duties.

In the second endpoint seen by Huntress, which has been operating since 2018, there had been no exercise within the logs for the previous three months, indicating that it was much less incessantly monitored, probably making it extra enticing for the attackers.

In each circumstances, the attackers tried to deploy the ransomware payload utilizing a DOS batch file (PP.bat) positioned on the desktop, which executed a DLL file (payload) through a rundll32.exe command.

The assault on the primary endpoint succeeded however was contained. On the second, the antivirus product stopped the trouble, forcing repeated payload execution makes an attempt with no success.

While Huntress has not been in a position to attribute the assaults with certainty to any recognized ransomware gangs, they be aware that it’s just like LockBit encryptors created utilizing a leaked LockBit Black builder.

In 2022, the ransomware builder for LockBit 3.0 was leaked, with the Bl00dy and Buhti gangs shortly launching their very own campaigns utilizing the builder.

The leaked builder permits you to create totally different variations of the encryptor, together with an executable, a DLL, and an encrypted DLL that requires a password to launch correctly.

Based on the IOCs offered by Huntress, the assaults by way of TeamViewer seem like utilizing the password-protected LockBit 3 DLL.

While BleepingComputer couldn’t discover the particular pattern seen by Huntress, we discovered a distinct pattern uploaded to VirusTotal final week.

This pattern is detected as LockBit Black however doesn’t use the usual LockBit 3.0 ransomware be aware, indicating it was created by one other ransomware gang utilizing the leaked builder.

While it’s unclear how the risk actors at the moment are taking management of TeamViewer cases, the corporate shared the next assertion with BleepingComputer concerning the assaults and on securing installations.