For example, Figure 3 shows that there are communications on barebones TCP, as well as TLS.įigure 3: TCP and TLS communicationsAs some of the earlier conversations continue or die off, yet more spin up.įigure 4: More TCP communications startThere are some larger packets visible in this data, but–unlike LogMeIn–the data is unreadable.įigure 5: Unreadable TCP dataInterestingly, much later in the capture we find communications occurring over UDP as well. When trying to keep track of what communications exist with these infrastructure devices, it’s clear that there’s a lot of things going on.įigure 2: Communications with several infrastructure devicesThere are several connections occurring simultaneously to 7 different servers within the infrastructure. However, it’s important to know that most of these servers are not actually owned by TeamViewer. Some of these IP addresses change over time, while others seem to be mostly static. Initial Observationsīy observing the DNS names, we’re able to see that TeamViewer has very easily-identifiable domains and subdomains, and includes several disparate IP address ranges.įigure 1: Identifying IPs and SubdomainsIn fact, at the time of this writing, there are 16 master servers ( master1 – master16), hundreds of normal servers across numerous IP ranges, as well as a number of other publicly-reachable infrastructure devices. Each of these occurrences take advantage of the fact that TeamViewer is a common remote support tool and can aggressively avoid attempts to detect or block it. Additionally, a piece of malware named Skywyder–which I found on the Dark Web sometime in mid 2016–leverages TeamViewer. Since then, the Shade ransomware took advantage of TeamSpy, and– more recently–other spam campaigns have been using it. In 2013, a report came out that discussed how a surveillance tool named TeamSpy had been using TeamViewer for roughly a decade.
TeamViewer has been part of the threat actor’s arsenal for years.
Now it’s time to learn what TeamViewer has up its sleeve. In our first foray into this subject, we learned about the types of techniques LogMeIn uses and how they can circumvent security controls. Given these tools make the network perimeter more permeable than security teams may realize, it is important to know who is initiating the connection, and where the communicating devices reside - especially if this isn’t the approved remote access solution. In the original post of this series, I set the stage for why remote access capabilities should be analyzed more carefully.
0 kommentar(er)
