TerraTV

Cybercriminals often employ legitimate tools in their attacks, but, of course, they take the required measures to modify their features in a corrupted banner. This is the strategy adopted by the TerraTV implant, a Malware-as-a-Service (MaaS) project sold to various cybercriminals. TerraTV is meant to deploy a legitimate copy of the popular TeamViewer client on the compromised system, and then load a threateningly modified DLL & configuration files that change the way TeamViewer operates.

The usage of the TerraTV implant has been attributed to a hacking group classified under the name FIN6 – this is a financially-motivated threat actor whose targets often include online merchants and point-of-sale devices.

TerraTV's payload was usually spread via a legitimate-looking installer that was delivered to the victims via various tricks and techniques – phishing messages, fake downloads, fake websites and more. Once the threatening installer was initialized, the TerraTV implant would be deployed alongside the modified, corrupted version of TeamViewer. TerraTV made sure to make some changes to the way that the software is executed, therefore hiding its icons from the taskbar and notification area. The attackers would then be able to use the stealthy copy of TeamViewer to gain unsupervised access to the compromised system. According to timestamps found in files linked to TerraTV's attacks, the malware was used in 2017 and 2018.

Even though TerraTV makes use of a legitimate tool to execute its attack, you can rest assured that your system can be protected by such attacks if you use an up-to-date anti-malware software suite. On top of relying on advanced anti-virus protection, it also is recommended to avoid interacting with unknown installers and files that do not come from trustworthy sources.