Cyble – Trojanized Application Preying On TeamViewer Users

MITRE Techniques

• [T1204] User Execution – Users are prompted to proceed with the TeamViewer installation via a user prompt window. Quote: “the user prompt window, providing the option to proceed with the team viewer installation.”
• [T1059] Command and Scripting Interpreter – The loader triggers execution of “TeamViewer Starting.exe” (njRAT) and then launches “teamviewer.exe”. Quote: “the installer triggers the execution of “TeamViewer Starting.exe” (njRAT) and subsequently launches the legitimate “teamviewer.exe” application.”
• [T1547] Boot or Logon AutoStart Execution – Persistence via startup mechanisms; two autorun entries and a startup folder copy. Quote: “two distinct methods to achieve persistence. The first one involves creating two autorun entries in the system registry… and the second method entails copying itself to the startup directory.”
• [T1036] Masquerading – The malware copies itself to AppDataLocalTemp with the filename “system.exe” to appear legitimate. Quote: “copying itself into the ‘AppDataLocalTemp’ directory with the filename “system.exe”.”
• [T1082] System Information Discovery – The malware collects OS version, service pack, date, username, webcam info, architecture, and registry keys. Quote: “collects various system information such as the Windows operating system version, the service pack, the current date, the username, information about webcams, system architecture, and specific registry keys.”
• [T1057] Process Discovery – The attack chain shows a sequence of processes involved when executing the Trojanized TeamViewer installer. Quote: “sequence of processes involved when executing the Trojanized TeamViewer installer.”
• [T1012] Query Registry – Registry modification and keys usage (security setting changes). Quote: “changing security settings in the registry.”
• [T1056] Input Capture – Keylogging via a dedicated thread capturing keystrokes and storing them. Quote: “The RAT creates a dedicated thread that establishes an ongoing loop to continuously monitor keystrokes.”
• [T1071] Application Layer Protocol – Data exfiltration and C2 communication over an application-layer protocol. Quote: “establishes a connection with a Command and Control (C&C) server to transmit the gathered information.”
• [T1095] Non-Application Layer Protocol – Preconfigured C2 address/port implying non-application-layer signaling. Quote: “The C&C address and listening port are preconfigured within the file.”