BackDoor.TeamViewerENT.1 trojan, distributed under the name Spy-Agent, also known as TeamSpy, TVSPY, and TVRAT, has been circulating since 2011 and is regularly updated. Spy-Agent is a multi-component trojan that recently integrated a TeamViewer capability used to spy on potential victims. Once the trojan launches, it disables error messaging for the TeamViewer process, appends its files with “system”, “hidden”, and “read only” attributes, and intercepts calls for multiple functions. If files that are necessary for TeamViewer to operate are missing, Spy-Agent downloads them from their C2 server. If the trojan detects that the Windows Task Manager or Process Explorer has been launched, the trojan terminates the TeamViewer process. Spy-Agent has the following capabilities: device power control, TeamViewer operation control, microphone control, remote web camera snooping, file transfer and modification, update the configuration file, and remote server connection. Spy-Agent allows attackers to spy on victims and steal sensitive, personal information. The trojan is also used to install additional malware onto the compromised device. In July, victims of Spy-Agent were mainly located in Europe but, in August, attackers began targeting victims in the United States.
- Dr. Web provides technical details on the Spy-Agent trojan, available here.