"Hacked Sites Push TeamViewer Using Fake Expired Certificate Alert"

Windows IIS servers are being used to add expired certificate notification pages prompting visitors to download a fake installer. All Windows versions since Windows 2000, XP, and Server 2003 include the Microsoft Windows web server software, Internet Information Services (IIS). Malwarebytes Threat Intelligence security researchers observed that the malware installed via the fake update installer is signed with a DigiCert certificate. TVRAT, also known as TVSPY, TeamSpy, TeamViewerENT, or Team Viewer RAT, is the payload dropped on infected systems. This malware allows its operators to gain full remote access to infected hosts. Once it is deployed on an infected device, the malware silently installs and launches an instance of the TeamViewer remote control software. The TeamViewer server will then reach out to a command-and-control (C2) server to let the attackers know that they can remotely take over the newly compromised computer. The exact method used by the attackers to compromise IIS servers remains unknown. However, there are various ways to breach a Windows IIS server. For example, proof-of-concept (POC) exploit code is available for a critical wormable vulnerability, tracked as CVE-2021-31166, found in the HTTP Protocol Stack (HTTP.sys) used by the Windows IIS web server as a protocol listener for processing HTTP requests. This article continues to discuss the use of Windows IIS servers in the spread of TVRAT malware, the vulnerability of IIS servers, and the targeting of Internet-facing IIS servers by state-sponsored level threat actors. 

Bleeping Computer reports "Hacked Sites Push TeamViewer Using Fake Expired Certificate Alert"