March 25, 2020
Target selection is based on geolocation and browser detection. The target audience are users from the USA, Canada, Australia, Great Britain, Israel and Turkey, using the Google Chrome browser. It is worth noting that the downloaded file has a valid digital signature identical to the signature of the fake NordVPN installer distributed by the same criminal group.
The infection mechanism is implemented as follows. Upon launching the installer, it creates a folder in the %userappdata% directory that contains files for the TeamViewer remote control application and unpacks two password-protected SFX archives. One archive contains two components: a malicious msi.dll library, which allows one to establish an unauthorised connection to an infected computer and a batch file for launching the Chrome browser with Google[.]com start page. The second archive carries a script for bypassing Microsoft Windows’s built-in anti-virus protection. The msi.dll library is loaded into the RAM memory by the TeamViewer process, simultaneously hiding its activity from the user.
Using the backdoor, the attackers are able to deliver payload modules with malware to infected devices, such as:
- The X-Key Keylogger,
- The Predator The Thief stealer, and
- A trojan for remote control over the RDP protocol.
All mentioned malware is successfully detected and removed by Dr.Web and does not pose a threat to our customers. The phishing page with malicious content has been added to the Dr.Web database of dangerous and non-recommended websites.
Tell us what you think
You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.