Hackers use legit remote IT support tool in spy attack
Hackers have been discovered using a tampered-with version of a legitimate remote access tool to target activists, industrial, research and diplomatic targets.
Hungary-based security firm CrySys Lab discovered an attack on diplomatic targets in Hungary which installs legitimate software first, but then remotely alters the program to enable it spy on victims.
The ongoing campaign uses a legitimate software package from a German vendor that offers remote control, file transfer and other administrative tools for Apple, Windows, Linux, iOS and Android.
Kaspersky Lab has provided its own detailed analysis (PDF) of the "TeamSpy crew" behind the attack, which it says has been in operation since 2008, and has hit a variety of targets, ranging from activists and political figures to heavy industry and national information agencies.
"The attackers control the victim's computers remotely by using [a] legal remote administration tool," Kaspersky Lab explains in its own analysis of the surveillance kit.
"This application is signed with legitimate digital certificates and is used by more than 100 million users around the world. To avoid alerting the user that somebody is spying on him, the attackers dynamically patch [the program] in memory to remove all signs of its presence."
CrySys' report states that targets include a high-profile victim in Hungary, multiple victims in Iran, and the Ministry of Foreign Affairs of Uzbekistan. The company said it was asked to investigate the malware by the Hungarian National Security Authority (NBF).