TeamViewer users: beware. Ransomware actors have been abusing the tool to worm their way into organization endpoints. Their goal: to deploy encryptors derived from the leaked LockBit ransomware builder.

TeamViewer is a widely used remote access tool prized for its ease-of-use and potential as a productivity tool, supplementing remote and hybrid work arrangements around the world. It’s popularity and ubiquity here was also its downfall, allowing scammers and ransomware actors to abuse the tool, whose goal is to gain access to remote desktops.

There was a similar scenario of abuse unfolding in March 2016, where attackers exploited users and gained unauthorized access through credential stuffing – obtained from users’ leaked credentials online. This differs if attackers were able to exploit a zero-day vulnerability in the software, which is defined as a vulnerability in a program that was previously unidentified by its developers.

TeamViewer continues to be a popular point of attack for ransomware actors. Huntress’ new report justifies this, showing that cybercriminals still prefer these techniques.

One of the insights gleaned from Huntress’ analysis was a common attacker, where the analysed log files reflected a connection from the same source. The first compromised endpoint was observed to have multiple accesses by employees in the logs, evincing that staff would use this software for actual productive tasks.

The second endpoint monitored by Huntress that has been running since 2018 shows no activity in the logs for the past three months. This signals to attackers and malicious actors that its less frequently monitored, making it an attractive potential target.

These cases saw attackers attempting to deploy the ransomware payload via a DLL file executable payload with a rundll32.exe command, achieved through a DOS batch file (PP.bat) on the desktop.

The PP.bat file used to execute ransomware encryptor
Source: BleepingComputer

The attack on the first endpoint was successful, although its reach was contained. The second attempt saw the effort halted by the antivirus product, forcing repeated payload execution attempts with no success.

While Huntress has yet to ascertain if the attacks are traceable to any known ransomware gangs, they found that it resembled LockBit encryptors created using a leaked LockBit Black builder.

In 2022, the ransomware builder kit for LockBit 3.0 became publicly available, leading to swift utilization by the Bl00dy and Buhti groups for initiating their respective campaigns.

This released toolkit enables the generation of diverse encryptor variants, such as an executable, a DLL, and an encrypted DLL that demands a password for proper execution.

Leaked LockBit 3.0 build
Source: BleepingComputer

Based on the IOCs provided by Huntress, the attacks through TeamViewer appear to be using the password protected LockBit 3 DLL.

While it is unclear how malicious actors are abusing TeamViewer instances to gain remote access, TeamViewer takes these threats extremely seriously. They released a statement about the attacks and on securing installations.

At TeamViewer, we take the security and integrity of our platform extremely seriously and unequivocally condemn any form of malicious use of our software.

Our analysis shows that most instances of unauthorized access involve a weakening of TeamViewer's default security settings. This often includes the use of easily guessable passwords which is only possible by using an outdated version of our product. We constantly emphasize the importance of maintaining strong security practices, such as using complex passwords, two-factor-authentication, allow-lists, and regular updates to the latest software versions. These steps are critical in safeguarding against unauthorized access.

In order to combat this, TeamViewer has published a list of good practices to clamp down on loopholes found via unattended access. Read more about it here.

To further eliminate potential for errors that might gravely cost your business, secure your organization and networks today with Adventus. As a top Cyber Security Solutions & Services Provider, our dedicated Security Operations Centre (SOC) works around the clock to safeguard your employees and assets. We monitor, detect, and respond to any cyber security risks or threats before they threaten your business.

If your business is using TeamViewer, we recommend a thorough scan of your IT environment to identify any potential malware or further exploits. Rest assured as our SOC team will monitor, detect, and respond to any potential threats. Get in touch with us today to learn what our cyber security team can do for your business.