TeamViewer Hijacked: Corporate Infiltration and Ransomware Deployment Uncovered

In a recent report by Huntress, it was revealed that cybercriminals are once again employing TeamViewer, a legitimate remote access tool, for initial penetration into corporate devices and attempts to deploy ransomware.

The first widespread misuse of TeamViewer by malicious actors was observed in March 2016 during the deployment of the Surprise ransomware program. At that time, TeamViewer representatives assured the public that unauthorized access was possible due to user credential leaks, not vulnerabilities in the remote access program itself.

“teamviewer” by laboratoriolinux is licensed under CC BY-NC-SA 2.0

As TeamViewer is a widely used software, many online criminals attempt to access a target system using compromised account data to determine if there is a TeamViewer account with the same credentials.

Turning to the current malicious campaign, it can be confidently stated that TeamViewer is once again being utilized by cybercriminals. In the attack chain analyzed by Huntress, the perpetrators infiltrated the target system using TeamViewer and attempted to deploy a malicious payload using the “PP.bat” batch file, which launched a malicious DLL file through the rundll32.exe command.

Huntress could not precisely determine which known ransomware group these attacks were associated with, but noted similarities with the LockBit ransomware, created using the leaked LockBit Black builder in September 2022.

While it is unclear exactly how the hackers managed to gain control over TeamViewer instances this time, company representatives reminded that adhering to basic cybersecurity principles is crucial for protection against such attacks: using complex passwords, two-factor authentication, whitelisting, and not forgetting to regularly update software.

Only by following these measures can unauthorized access be prevented and company networks be safeguarded from compromise.