Page 65 - index
P. 65
pic4a information:
Jabber:
[email protected]
[email protected]
Conclusion
This particular threat is very dangerous as the attacker will have total control over the affected
machine. We see that it can be used during a regular infection campaign or by some APT actors for
specific attacks against particular targets.
RMS/TVSPY continues to be developed, with a new version being posted by the developer/reseller
on a regular basis.
In fact, the legitimate RMS version developed by TektonIT and the version posted in criminal forums
appear to be identical.
TVSPY seems to be merely a modification of RMS to utilize TeamViewer infrastructure and a
command and control interface manageable through the web.
Damballa detects TVSPY as BlueSpiderCrashers.
Loucif Kharouni
Senior Threat Researcher
Willis McDonald
Senior Threat Researcher
Indicators of compromise:
- Under C:\kernel (folder kernel has hidden attribute):
65 Cyber Warnings E-Magazine – September 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
