14 DAY TRIAL // Security researchers have identified a new trojan which incorporates the popular TeamViewer remote control software to allow fraudsters to perform unauthorized online banking transactions from infected computers.
The piece of malware was discovered by experts from Group-IB while performing a forensic investigation on the systems of a defrauded Russian company.
It was subsequently analyzed by security researchers from antivirus vendor ESET who call it Win32/Sheldor.NAD. Around half of antivirus engines on Virus Total currently detect the threat.
The malware drops a backdoor component in the the Windows directory along with a TeamViewer 5 server that it runs in console mone.
TeamViewer (TV) is a free program commonly used for remote assistance and remote control of computers over the Internet.
The inclusion of a TV server has a very precise purpose - bypassing the extra authentication mechanisms put in place by some banks.
Many online banking systems build computer signatures, especially for business customers, and allow authentication from them.
Under these circumstances, even if the login credentials get stolen, the thieves are unable to abuse them.
To counter this, fraudsters have implemented remote control features into their malware. For example, the notorious ZeuS banking trojan integrates a VNC (Virtual Network Computing) module.
"One component of TeamViewer is modified in order to inject code into tv.dll, communicating through the administrative control panel," David Harley, a senior research fellow at ESET, explains.
Sheldor allows remote attackers to start a command line shell on infected computers, toggle monitoring on and off, log off the Windows user, power the system down and uninstall the bot.
"[...] It's disquieting but not surprising to see widely-used remote access tools misused for criminal purposes," Mr. Harley says.
In the past we have seen scareware programs integrate free file scanning tools from real vendors in order to increase their legitimacy.