Multiple Embassies Targeted Using TeamViewer to Create Backdoor

Check Point researchers  have identified a targeted cyberattack against multiple embassies across Europe that is considered to be financially motivated. Intended key targets are connected to government revenue and finance departments. The threat actor is assessed to be an individual who uses the handle “EvaPiks” on an illegal Russian carding forum. The attack is initiated through an email that contains an XLSM document and has a subject line that reads, “Military Financing Program.” The document contains malicious macros and bears the US Department of State emblem, marked with a TOP SECRET classification. The payload is a malicious TeamViewer DLL, which is remote desktop access software, creating a backdoor. According to Check Point, the malware used in this attack was blocked using Check Point’s Threat Emulation and Extraction. The NJCCIC advises users avoid clicking on links contained in suspicious emails. If the user is uncertain of the email’s legitimacy, we encourage them to contact the sender via an alternate method. End users and organizations are advised to disable macros in Office documents. We also recommend that users ensure they are running the most recent up-to-date security software.