Wednesday, 09 July 2025

Hacked sites push TeamViewer for remote access

Threat actors are compromising Windows IIS servers to add expired certificate notification pages that prompt visitors to download a malicious fake installer.

Internet Information Services (IIS) is Microsoft Windows web server software included with all Windows versions since Windows 2000, XP, and Server 2003.

As Malwarebytes Threat Intelligence security researchers observed, the malware installed is TVRAT (aka TVSPY, TeamSpy, TeamViewerENT, or Team Viewer RAT). This malware is designed to provide its operators with full remote access to infected hosts.

Once deployed on infected device, the malware will silently install and launch an instance of the TeamViewer remote control software.

While the method used by the attackers to compromise IIS servers is not yet known, attackers can use various ways to breach a Windows IIS server. For instance, exploit code targeting a critical vulnerability (CVE-2021-31166) found in the HTTP Protocol Stack (HTTP.sys) used by the Windows IIS web server has been publicly available since May.

Microsoft patched this security flaw during the May Patch Tuesday and said it only impacts Windows 10 versions 2004/20H2 and Windows Server versions 2004/20H2.

Source: bleepingcomputer.com

22 September 2021

-
410