TeamSpy

TeamSpy is a spying malware infection that is involved in a cyberespionage campaign. TeamSpy uses legitimate applications together with cyber-spying devices, and affects government agencies, businesses, and activists in a number of countries in Eastern Europe. TeamSpy turns a legitimate remote access tool (RAT) TeamViewer produced for desktop sharing, online meetings, web conferencing, and sending files between computers, into a cyberespionage tool and pilfers data from vulnerable computer systems. TeamSpy installs a version of TeamViewer on targeted computer systems. The cybercriminals then extend functionality of TeamViewer with a DLL hijacking exploit to provide additional stealthiness, dynamically patching it in memory to remove indications of its existence. The DLL hijacking emerges courtesy of a module called 'Avicap32', which carries a PE EXE file written in Assembler. That file is stored in the same folder as 'TeamViewer.exe', and when TeamViewer is started it won't display any warnings, pop-up messages, systray icons and will silently keep on operating providing remote access to the corrupted PC.