Page 61 - index
P. 61
TVSPY - Threat Actor Group Reappears with Teamviewer
Malware Package
By, Loucif Kharouni, Sr Threat Researcher at Damballa Inc.
What’s TVSPY?
TVSPY is a malware that takes advantage of a vulnerability in Teamviewer software version 6, a
legitimate tool used for remote PC administration. The malware is also known as TVRAT, SpY-
Agent or teamspy.
While the current version of Teamviewer fixed this vulnerability, TVSPY relies on bundling
Teamviewer v6 in a package with a copy of the malware. It works independently of any existing
Teamviewer installation.
TVSPY: APT or Crimeware?
Eset and Group-IB discussed this malware as crimeware back in 2011 at CARO, while Kaspersky
mentions it in one of their APT reports from 2013, with a detailed description of its routine. There
seems to be an increase in the prevalence of these malware variants recently.
The number of unique variants we have already seen in 2015 is 4.4x the number seen in 2012, and
2.2x that seen in all of 2014. There are some instances of Dridex installing this malware as well.
This malware has been relatively quiet for more than two years so the nearly three-fold increase in
activity is concerning.
Year Unique samples
2012 5
2013 8
2014 10
2015 22
More recently, a targeted email campaign included a malicious Excel file with a macro would
download this malware. The email was impersonating the All-Russian Research and Design
Institute of Nuclear and Energy Engineering.
The analysis of the Command and Control server for this latest variant appears to be owned by
professional criminals.
61 Cyber Warnings E-Magazine – September 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
