{ "id": "bb9582b5-402d-4dbc-ad49-6164ef0e335b", "created_at": "2026-04-06T00:13:36.461188Z", "updated_at": "2026-04-10T13:11:25.191023Z", "deleted_at": null, "sha1_hash": "899d20dd69009b10e07089e09f16c4b58952a8ef", "title": "A deeper look into malware abusing TeamViewer", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 609717, "plain_text": "A deeper look into malware abusing TeamViewer\r\nBy Jaromír Hořejší 13 Apr 2017\r\nArchived: 2026-04-05 18:23:05 UTC\r\nAnalyzing TeamSpy, malware that gives hackers complete remote control of PCs.\r\nTeamViewer, a remote control program, can be very handy when you need remote IT support. The cybercriminals\r\nbehind TeamSpy, unfortunately, also find the tool to be quite useful and use it to carry out malicious activity.\r\nTeamSpy infects computers by tricking people into downloading a malicious attachment and enabling macros.\r\nAfter that, the malware secretly installs TeamViewer, giving the cybercriminals full control of the infected\r\ncomputer. TeamSpy first appeared back in 2013, which is when CrySyS Lab and Kaspersky Lab published white\r\npapers about its operation. Heimdal Security recently reported that the malware has resurfaced with a targeted\r\nspam campaign. We too have seen an uptick and have therefor decided to take a closer look.\r\nHiding commands\r\nMost malware communicates with a command and control (C\u0026C) server after infecting a device. As the name\r\nsuggests, a C\u0026C server is the control center that sends out commands for malware to carry out. C\u0026C servers are\r\nalso where malware sends back the data it collects. For this communication, malware authors usually implement a\r\ncustom protocol, which can be easily spotted and distinguished from other traffic and thus blocked by antivirus\r\nsolutions. To make it more difficult for antivirus solutions to detect, some malware authors use popular remote\r\ncontrol programs, like TeamViewer, instead to take advantage of their VPN network to better mask the\r\ncommunication between their malware and C\u0026C servers.\r\nHow TeamSpy infects\r\nTeamSpy is spread via spam emails that are designed to trick people into opening an attachment. The attachment\r\nis an Excel file with macros. When the attachment is opened, the following screen appears:\r\nhttps://blog.avast.com/a-deeper-look-into-malware-abusing-teamviewer\r\nPage 1 of 13\n\nWhen the macros are enabled by the targeted person, the infection process begins, running completely in the\r\nbackground, so the victim doesn't notice anything. If we look inside the malicious macro, we can see slightly\r\nobfuscated strings, usually split into one or more substrings, which are later concatenated. The most important\r\ninformation is circled in red below and are a link, from which something is downloaded, and a password, which\r\nwill be used later.\r\nThe link, disk.karelia.pro, is a legitimate Russian service for uploading and sharing files. Although the attachment\r\nof the downloaded is a PNG, it is actually an EXE file, more specifically it is an Inno Setup installer protected by\r\nhttps://blog.avast.com/a-deeper-look-into-malware-abusing-teamviewer\r\nPage 2 of 13\n\nthe password.\r\nWith the help of the innounp utility, we were able to easily list or extract the files from the Inno Setup installer\r\nused by the malware. As shown in the listing below, most of the files are regular, digitally signed TeamViewer\r\nbinaries, with the exception of two files - msimg32.dll and tvr.cfg. Tvr.cfg is TeamSpy’s configuration file and will\r\nbe described later, msimg32.dll is the malware itself. Msimg32.dll is a DLL library which is part of Windows OS.\r\nIn this case, however, TeamSpy abuses the DLL search order, so that the fake msimg32.dll from the current\r\ndirectory is loaded into the process instead of the original msimg32.dll from Windows/System32 directory. The\r\nmalware itself is in the fake msimg32.dll library.\r\nTeamSpy’s invisibility cloak\r\nhttps://blog.avast.com/a-deeper-look-into-malware-abusing-teamviewer\r\nPage 3 of 13\n\nNormally when you install the TeamViewer, you see a GUI window with an ID and password, which the other\r\nparty needs to know if they want to remotely connect to your computer.\r\n \r\nIf TeamSpy successfully infects a PC, nothing is shown - remember everything runs in the background, so that the\r\nvictim doesn’t notice TeamViewer is installed. This is achieved by hooking many API functions and altering their\r\nbehavior. TeamSpy hooks the following APIs (nearly 50 different APIs):\r\nkernel32.dll\r\nCreateMutexW, CreateDirectoryW, CreateFileW, CreateProcessW, GetVolumeInformationW, GetDriveTypeW,\r\nGetCommandLineW, GetCommandLineA, GetStartupInfoA, MoveFileExW, CreateMutexA\r\nuser32.dll\r\nSetWindowTextW, TrackPopupMenuEx, DrawTextExW, InvalidateRect, InvalidateRgn, RedrawWindow,\r\nSetWindowRgn, UpdateWindow, SetFocus, SetActiveWindow, SetForegroundWindow, MoveWindow,\r\nDialogBoxParamW, LoadIconW, SetWindowLongW, FindWindowW, SystemParametersInfoW,\r\nRegisterClassExW, CreateWindowExW, CreateDialogParamW, SetWindowPos, ShowWindow,\r\nhttps://blog.avast.com/a-deeper-look-into-malware-abusing-teamviewer\r\nPage 4 of 13\n\nGetLayeredWindowAttributes, SetLayeredWindowAttributes, IsWindowVisible, GetWindowRect, MessageBoxA,\r\nMessageBoxW\r\nadvapi32.dll\r\nRegCreateKeyW, RegCreateKeyExW, RegOpenKeyExW, CreateProcessAsUserW, CreateProcessWithLogonW,\r\nCreateProcessWithTokenW, Shell_NotifyIconW, ShellExecuteW\r\niphlpapi.dll\r\nGetAdaptersInfo\r\nSome hooks block the application’s access to some specific resources, e.g. if RegCreateKey or RegOpenKey\r\nattempt to access the Software\\TeamViewer registry key, the error code: ERROR_BADKEY is returned.\r\nHooking the GetCommandLine makes TeamViewer think that it was started with a predefined password (instead\r\nof a randomly generated password, TeamViewer users can normally set this password to an arbitrary value by\r\nadding a command line parameter)\r\nhttps://blog.avast.com/a-deeper-look-into-malware-abusing-teamviewer\r\nPage 5 of 13\n\nHooking SetWindowLayeredAttributes sets the TeamViewer window opacity to 0 (instruction PUSH 0), which\r\naccording to the MSDN documentation means the following: “When bAlpha is 0, the window is completely\r\ntransparent. When bAlpha is 255, the window is opaque.”\r\nHooking CreateDialogParam blocks some dialogs unwanted by the malware from even being created. These\r\ndialogs can be looked up in the file TeamViewer_Resource_en.dll, they are referenced with numbers like 10075,\r\nsee the figure below.\r\nIn case of ShowWindow, it defines it’s own nCmdShow parameters 4d2h and 10e1h. If other values than these are\r\npassed, nothing happens.\r\nhttps://blog.avast.com/a-deeper-look-into-malware-abusing-teamviewer\r\nPage 6 of 13\n\nProbably the most interesting is the hooking of the CreateWindowEx API. Via a series of class name checks, it\r\nidentifies a window and other window controls that belong to the TeamViewer chat window. With help of a tool\r\nlike WinSpy++, we can see all the windows belonging to the particular process (even if they are hidden). As you\r\ncan see from the figure below, there is a ControlWin window, which has several TVWidgets. One widget belongs\r\nto the chat - it has two ATL:???????? text edits, one for the chat message history and one for the new chat\r\nmessage, one combo box with a drop down list of chat participants and the button Send. “message 01” is the\r\nreceived message in the chat, “message 02” is message which will be sent after clicking the “Send” button. The\r\nchat window cannot be normally seen, as the malware runs in the background, but it is possible to patch the\r\nmalware, so that hiding windows does not happen.\r\nThe code snippet below shows how the malware obtains handles to these window controls. GetWindowLong and\r\nCallWindowProc and SetWindowLong with nIndex = GWL_PROC replaces the old address for the window\r\nprocedure of the chat history text edit with a custom window procedure.\r\nhttps://blog.avast.com/a-deeper-look-into-malware-abusing-teamviewer\r\nPage 7 of 13\n\nThe custom window procedure listens for incoming messages, and based on the window message id, it either\r\nsends a new message or it waits for a reply from the C\u0026C server (EM_SETCHARFORMAT message arrived).\r\nThe figure below shows how a new message is sent. Malware first sets focus to the new message text edit with\r\nWM_SETFOCUS, then it sets the new message edit text by WM_SETTEXT and at last it clicks on the “Send”\r\nbutton by sending BM_CLICK.\r\nhttps://blog.avast.com/a-deeper-look-into-malware-abusing-teamviewer\r\nPage 8 of 13\n\nSimilar modifications are applied to most of the 50 APIs listed above. Some patches are very simple, having no\r\nmore than a few instructions, while some patches are very complex, like CreateWindowEx. We will not list all of\r\nthem here, however, the final effect is clear - TeamViewer’s windows are not displayed to the victim. They silently\r\nexist in the system and that’s all.\r\nConfiguration file\r\nTeamSpy’s configuration is stored in tvr.cfg file. It uses a simple custom encryption algorithm, which can be seen\r\nbelow. It reads the input file and uses the password “TeamViewer”. The algorithm runs two counters, cnt1\r\n(0..number of bytes in tvr.cfg ) and cnt2 (0..length of the password). It takes a byte from the password, adds the\r\nresult of the multiplication cnt1*cnt2. This is done for each character of the password. These results are all\r\nXORed, one character is produced, and at the end of the loop, it is XORed with the respective byte from the\r\nconfiguration file. These steps are repeated for all bytes in configuration file.\r\nThe decrypted configuration file can be seen below. The names of the parameters are mostly self explanatory. The\r\nmost important for us are the password (infected machine has password “superpass” ) and server1, where the\r\nhttps://blog.avast.com/a-deeper-look-into-malware-abusing-teamviewer\r\nPage 9 of 13\n\ninfected machine ID is exfiltrated.\r\nPhoning home\r\nThe communication between the infected machine and the C\u0026C server is established soon after the infection\r\nprocess starts. The following request is regularly sent. The names of most parameters can be clearly deduced.\r\nid = TeamViewer ID, cybercriminals need this id, which together with the password are enough to remotely\r\nconnect to the infected computer\r\ntout = timeout\r\nidl = idle time\r\nosbt = 32bit/64bit\r\nosv = OS version\r\nosbd = OS build version\r\nossp = service pack\r\ntvrv = TeamViewer version\r\nuname = user name\r\ncname = computer name\r\nhttps://blog.avast.com/a-deeper-look-into-malware-abusing-teamviewer\r\nPage 10 of 13\n\nvpn = has TeamViewer vpn\r\navr = antivirus solution\r\nWhen we open the C\u0026C server in a web browser, we see the following login page:\r\nChat control\r\nThe infected computer is controlled via TeamViewer. Cybercriminals can connect to the remote computer (they\r\nknow the ID and password for TeamViewer) or they can send commands via the TeamViewer chat, to basically do\r\nwhatever they please on the infected machine. The communication via the TeamViewer chat allows for the basic\r\nbackdoor functionalities to be performed: applist, wcmd, ver, os, vpn, locale, time, webcam, genid. Inside the\r\nTeamSpy code, these commands are compared to their crc32 checksums, so collisions can very easily happen.\r\nBecause crc32(wcmd) = 07B182EB = crc32(aacvqdz), both of these commands are interchangeable.\r\nhttps://blog.avast.com/a-deeper-look-into-malware-abusing-teamviewer\r\nPage 11 of 13\n\nUsing TeamViewer’s legitimate VPN encrypts the traffic and makes it indistinguishable from legitimate\r\nTeamViewer traffic. Once the machine is infected, the criminals have full access to the computer. They can steal\r\nand exfiltrate sensitive data, download and execute arbitrary programs, and more.\r\nAbusing the legitimate application with sideloading is a clever technique, because not every user checks\r\nlegitimacy of all the DLL libraries in the same directory. Checking the signature of the main executable does not\r\nreveal anything suspicious and may let the victim think that everything is alright. See the digital signature of the\r\nmain update_w32.exe file below. This file is not malicious.\r\nhttps://blog.avast.com/a-deeper-look-into-malware-abusing-teamviewer\r\nPage 12 of 13\n\nIt is important to remember that there are more malware classes that  abuse TeamViewer, not just TeamSpy. This\r\nblogpost just describes one of them. The principle is, however, similar in other malware classes.\r\n5.0 SHAs\r\nXLS with macros\r\nFE7CA42EE57CEDAD4E539A01A1C38E22F3A4EDC197D95237E056AF02F252C739\r\nPassword protected Inno Installer\r\nAD377654518C19BE85FA6BF09570D8D1C8ABA52FFCD83061127851A2DAEF4858\r\nFake msimg32.dll\r\n921FB1D6E783A6CA70BD1399EA5A18C78027D3016BEA6881F132A253F3C97ED6\r\n6.0 and yes, we detect it\r\nSource: https://blog.avast.com/a-deeper-look-into-malware-abusing-teamviewer\r\nhttps://blog.avast.com/a-deeper-look-into-malware-abusing-teamviewer\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.avast.com/a-deeper-look-into-malware-abusing-teamviewer" ], "report_names": [ "a-deeper-look-into-malware-abusing-teamviewer" ], "threat_actors": [ { "id": "1d8dd2ca-5592-482e-b89d-6a7e1a49f4f6", "created_at": "2023-01-06T13:46:38.408359Z", "updated_at": "2026-04-10T02:00:02.962242Z", "deleted_at": null, "main_name": "TeamSpy Crew", "aliases": [ "TeamSpy", "Team Bear", "Anger Bear", "IRON LYRIC" ], "source_name": "MISPGALAXY:TeamSpy Crew", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434416, "ts_updated_at": 1775826685, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/899d20dd69009b10e07089e09f16c4b58952a8ef.pdf", "text": "https://archive.orkl.eu/899d20dd69009b10e07089e09f16c4b58952a8ef.txt", "img": "https://archive.orkl.eu/899d20dd69009b10e07089e09f16c4b58952a8ef.jpg" } }