According to a new report from CheckPoint Research, Russian hackers recently attacked some European embassies by sending malicious attachments. “The attack, which starts with a malicious attachment disguised as a top secret US document, weaponizes TeamViewer, the popular remote access and desktop sharing software, to gain full control of the infected computer.” The target of hacking is the European Embassy in Nepal, Guyana, Kenya, Italy, Liberia, Bermuda and Lebanon.
Hackers usually send Microsoft Excel spreadsheets with malicious macros to officials via email, which appear to come from the US State Department. Once opened, hackers can completely control the infected computer through malicious Teamviewer. According to the CheckPoint analysis,
Once the macros are enabled, two files are extracted from hex encoded cells within the XLSM document:
- A legitimate AutoHotkeyU32.exe program.
- AutoHotkeyU32.ahk→an AHK script which sends a POST request to the C&C server and can receive additional AHK script URLs to download and execute.
- Three different AHK scripts are awaiting on the server for the next stage:
- hscreen.ahk: Takes a screenshot of the victim’s PC and uploads it to the C&C server.
- hinfo.ahk: Sends the victim’s username and computer information to the C&C server.
- htv.ahk: Downloads a malicious version of TeamViewer, executes it and sends the login credentials to the C&C server.
It is hard to say whether there is the geopolitical motivation behind this movement because it is not targeted at a particular region and the victims are from all over the world. Government finance officials have also been attacked by these, and CheckPoint Research pointed out that hackers are particularly interested in these victims, and they seem to be government officials carefully selected from several revenue authorities.
Hackers are very sophisticated, carefully planned attacks, using bait files tailored to the benefit of the victim, and targeting specific government officials.
Although the hackers are Russian, these attacks are unlikely to be sponsored by the Russian state, and CheckPoint Research believes that their attacks should be economically motivated.