There are several browsers compatible with DNS over HTTPS (DoH). This protocol lets you encrypt your connection to 1.1.1.1 in order to protect your DNS queries from privacy intrusions and tampering.
Some browsers might already have this setting enabled.
By: Peter Girnus, Aliakbar Zahravi June 20, 2023 Read time: 10 min (2790 words)
This is the third installment of a three-part technical analysis of the fully undetectable (FUD) obfuscation engine BatCloak and SeroXen malware. In this entry, we document the techniques used to spread and abuse SeroXen, as well as the security risks, impact, implications of, and insights into highly evasive FUD batch obfuscators.
The remote access trojan (RAT) SeroXen tool can be purchased on the clearnet. During our investigation, we uncovered multiple domains selling not only this nefarious tool but also a cracked version of it hosted on a popular crack forum. We also uncovered individuals on popular video sites such as YouTube and TikTok acting as distributors for this piece of fully undetectable (FUD) malicious software. At the time of writing, many of these videos remain available for viewing.
In this section, we break down the different platforms that SeroXen uses to spread malware.
Website
Figure 1. SeroXen website
The tool SeroXen sports a sleek website with pages that users might expect from any number of websites selling software on the internet. However, sometime between the last week of May and the first week of June, a new shutdown notice has surfaced on its website due to SeroXen’s popularity and cybercriminal efficacy. Considering the content of the notice, there are strong indications that this shutdown is merely for show and that distribution is still ongoing through other platforms and channels.
Figure 2. SeroXen’s website shutdown notice
Prior to the shutdown notice, we observed the main SeroXen website offering a comprehensive list of features to prospective consumers. Examining some of the core features advertised by SeroXen shows a rich feature selection, including:
A Windows Defender-guaranteed bypass for both scan time and runtime.
FUD scan time and runtime evasion against most antivirus engines.
Hidden Virtual Network Computing (hVNC).
Full modern Windows support.
Figure 3. SeroXen’s features list
In addition to the sophisticated evasion and FUD component, the inclusion of hVNC is concerning as it is often deployed by highly sophisticated types of malware and advanced persistent threat (APT) groups. The hVNC component allows threat actors to operate a hidden or “virtual” desktop rather than the main desktop to keep the malicious sessions in the background running uninterrupted.
Meanwhile, the SeroXen web application provides users with the option to acquire either a monthly license key or a lifetime key using cryptocurrency.
Figure 4. SeroXen monthly subscription (top) and lifetime (bottom) price optionsFigure 5. SeroXen is currently unavailable for purchase at the website
The SeroXen web application also boasts a product support team available from Monday to Friday following a location for a time zone reference in the US. The Telegram account of the developer is also available for messaging, and the relevant channels are still active. At one point, a Discord account might also have been available for contact, although it was already unavailable at the time of this writing.
Figure 6. SeroXen’s product support offers
During our investigation, we encountered the disclosure of the developers and contributors associated with SeroXen’s development. Notably, the list includes the individual who also contributed to the creation of batch obfuscators such as Jlaive, BatCrypt, CryBat, Exe2Bat, and ScrubCrypt. This direct linkage therefore establishes a clear association between these historical FUD batch obfuscators and the SeroXen malware. In June, we also noticed that the website’s acknowledgments included the social media handle of the distributor.
Figure 7. The developers of Jlaive, BatCloak, CryBat, Exe2Bat, ScrubCrypt, and social media distributor’s username acknowledged on the SeroXen website
Social media accounts
While investigating SeroXen’s website, we uncovered a link to a review video hosted on YouTube.
Figure 8. Link to SeroXen review hosted on YouTube
The content is presented as a “review” and facilitated by a reseller. More importantly, it functions not only as an evaluation but also as a promotional advertisement coupled with a tutorial showcasing the capabilities of SeroXen. We found a collection of videos that was also attributed to a reseller of the malware. These videos function to endorse and market SeroXen, reinforcing its presence and appeal within the designated market. Details such as knowledge, discounts offered, and claims of being a distributor indicate the increased likelihood of this user being connected to the owner of the web app.
Figure 9. SeroXen YouTube advertisementsFigure 10. SeroXen distributor selling the malware on YouTube
Certain prospective customers of SeroXen have demonstrated an inclination toward exploring specific aspects associated with illicit activities. Their expressed interest encompasses the use of SeroXen in the context of engaging in potentially unlawful endeavors within the Roblox community.
Figure 11. Prospective customer interested in Roblox cookie theft
For context, Roblox is a widely popular video game with a user base of over 214 million active monthly users across the globe, predominantly comprised of minors, with approximately 67% of the player demographic aged below 16 years. In the US, over half of Roblox players are minors. In Figure 10, the significance of the inquiry lies in the potential risks and impact associated with the theft of the .ROBLOSECURITY cookie from an unsuspecting victim. If successfully stolen, this cookie would grant a threat actor the ability to compromise the targeted Roblox account by overriding two-factor authentication (2FA).
This exchange also highlights the risk associated with highly evasive and modular types of malware — namely, a modular design with the ability to load additional components to create a bigger impact on targeted and unwitting victims. In this instance, the reseller mentions the ability to use SeroXen with Hazard, a stealer with many features, including the capability to steal Discord webhooks.
At one point, the distributor sold SeroXen on Discord, but their accounts have a history of being terminated. In an exchange with a prospective customer on YouTube, a YouTube channel owner shows a clear understanding of how this tool will be used for criminal activity, after which they encourage a prospective customer to get in touch with them since they are a reseller. We also uncovered the reseller’s Twitter profile, which hosted more promotional content for SeroXen.
Figure 12. A reseller’s conversation with a prospective buyer on YouTube (top) and the reseller’s YouTube and Twitter profiles (middle and bottom)
As of this blog entry’s week of publishing, we noted that the social media distributor confirmed that SeroXen’s “sale” (referred to only as “offsale” on the website) is now offline. Still, this mainstream availability and exchange raise substantial concerns, given its occurrence outside the boundaries of underground hacking forums. While researchers and ordinary users alike might expect this kind of complacence and leeway on the darknet, they do not expect the same on a popular mainstream platform such as YouTube. This underscores the potential implications of the exchange, as it indicates that cybercriminals have become bolder in infiltrating mainstream platforms online. In turn, malicious activities and discussions related to illicit cybersecurity practices are now able to infiltrate mainstream online platforms.
Figure 13. SeroXen’s social media distributor confirms the RAT as unavailable for interested buyers/users
Additionally, during the investigation of this reseller’s YouTube profile we uncovered a batch-to-dropper file uploaded to Virus Total around the time of the latest SeroXen promotional video. The name of the batch file matches the username of this reseller’s YouTube profile. This batch attempts to download an infected batch file from Discord and run the infected file that leads to a SeroXen infection.
Figure 14. YouTube reseller includes SeroXen developer’s Telegram handleFigure 15. Reseller names file after uploading to a public repository, matching it with their YouTube profile name
SeroXen’s forum presence
We also discovered that the author of SeroXen actively engages with prominent hacking enthusiast forums to promote and distribute the malware. This strategic use of established forums catering to the hacking community serves as an additional avenue for the author to market and sell SeroXen, expanding its reach.
Figure 16. SeroXen advertisement on a popular hacking forum
Upon investigating the post of SeroXen’s developer, we saw that the author of Jlaive, BatCrypt, CryBat, Exe2Bat, and ScrubCrypt was once again acknowledged as playing a part in the development of SeroXen’s FUD capabilities. Additionally, on another forum, we found a cracked version of SeroXen that allows cybercriminals to bypass the payment requirement set up by the malware’s original developers.
Figure 17. Acknowledgement of developers and contributors in a forum postFigure 18. A cracked version of SeroXen
Examining the prevalence and impact of SeroXen
Throughout our investigation of the scope of infections, we discovered a substantial collection of forum posts containing reports from victims who fell prey to the SeroXen infection. This particular strain of malware showed a notable increase in users reporting their infections, with well-meaning individuals advising victims to implement security and antivirus solutions, which all failed to detect any malicious activity. This then perpetuates a distressing cycle of infections driven by the malware’s FUD capabilities.
Understanding SeroXen infections through an analysis of community discussions
We conducted an analysis on Reddit by analyzing reports of SeroXen infections. Many of these posts reported that the users noticed suspicious actions but were powerless to remediate the ongoing infection.
We went through different forum threads and observed a common theme among the scores of individuals whose systems were infected: they were downloading and executing highly suspect pieces of software hosted on Discord and other file-hosting services related to special interests. We also noticed reports of deceptive batch installers (downloaded from GitHub) claiming to be legitimate software installers or tools for highly sought-after applications and interests like Photoshop, image loggers, TikTok, quality-of-life tools, and Tor, among others. The primary intention behind this fraudulent activity is to lure unsuspecting individuals into unintentionally installing malicious programs that lead to compromise.
Figure 19. A user’s system is infected after they download the game Counter Strike: Global Offensive (CSGO).Figure 20. Samples of users reporting infections
Based on our analysis of the collected samples, one of the largest target communities are gamers playing popular titles such as Roblox, Valorant, Counter Strike, Call of Duty, and Fortnite. These multiplayer online games contain a rich ecosystem of desirable, high-value, and in-game items that make a rich in-game economy, making them a viable target of malicious actors using SeroXen. In particular, theft appears to be the primary motive driving these infections. Over the years, a thriving underground ecosystem has been established for the illicit resale of stolen in-game items, with a particular emphasis on the popular game Roblox via beaming.
What is Roblox beaming?
Within the Roblox community, the unauthorized sale of items, referred to as “beaming” in the community, has proven itself to be an immensely profitable venture for nefarious actors. It is worth noting that certain rare items within Roblox, known as “limiteds,” can command significant prices that reach thousands of dollars in real-world commercial values. Discord has served as fertile ground for buying and selling these items, allowing cybercriminals to exploit and profit from unsuspecting children who fall victim to their schemes.
During our investigation, we uncovered a thriving underground community using Discord to post stolen cookies to beam victims. Frequently, the practice of beaming is employed to generate content specifically intended for popular online platforms like YouTube and TikTok. Numerous individuals, often including minors, are subjected to beaming for the purpose of entertainment. Over the course of our investigation, we also uncovered many instances of beaming tutorials and how-to videos on both TikTok and YouTube.
Figure 21. A .ROBLOSECURITY cookie posted on Discord for beamingFigure 22. Roblox beaming videos on YouTube (top and middle) and TikTok (bottom)Figure 23. Roblox beaming tutorials on TikTok
Furthermore, our findings have revealed that these video platforms frequently function as recruitment platforms, funneling individuals into beaming Discord channels to engage in unethical and detrimental activities.
Figure 24. A Roblox beamer recruitment video on TikTok
FUD batch obfuscation techniques coupled with hVNC-capable toolkits provide actors powerful tools not only for stealing content but also for creating significant psychological distress in communities with a significant number of minors.
Examining SeroXen infections with insights from the Microsoft Support community
During our investigation of the prevalence and impact of SeroXen infections, we also examined posts within the Microsoft Support community. We observed striking similarities between the infection chain reported in this community and the discussions in Reddit. Moreover, a deeper understanding of the actions perpetrated revealed two distinct and concerning patterns. The first pattern involved direct extortion tactics, while the second involved the issuance of threats to victims’ lives through swatting.
Figure 25. Samples of reports seeking help against an extortion attempt (top) and a threat of swatting (bottom) after hackers gain control of users’ infected systems through SeroXen
Conclusion
Considering the capabilities and potential damage resulting from this tool, the costs for entry are low to null (given the cracked versions available online). This means that both cybercriminals and script kiddies experimenting with malware deployments can avail of SeroXen. Depending on the goals of cybercriminals — whether they care for arrests and notoriety or simply want to spread the tool — the sophistication of the infection routines does not appear to match with the chosen methods for distribution. The almost-amateur approach of using social media for aggressive promotion, considering how it can be easily traced, makes these developers seem like novices by advanced threat actors’ standards. That being said, the real-life consequences of abusing highly evasive malware as a tool to threaten other users via swatting and other threats to personal safety remain highly concerning especially as these developers might interact with online communities populated by minors.
The addition of SeroXen and BatCloak to the malware arsenal of malicious actors highlights the evolution of FUD obfuscators with a low barrier to entry. This can be considered an upcoming trend for a range of cybercriminals who can use a wide range of distribution mechanisms like Discord and social media platforms and their features (such as YouTube and short-from videos in TikTok) to push their preferred types of destructive software for abuse. Additionally, this trend also highlights the potential of highly evasive malware to proliferate in communities that host a significant number of minors who might be ill-equipped to confront destructive pieces of malware. Considering the low-to-nil detections in public repositories once a piece of malware is armed with these tools, this evolution presents new challenges to security teams and organizations alike, especially since FUD obfuscation can be used to deliver any kind of imaginable threat, including those that are not yet known.
Parents and guardians are encouraged to proactively familiarize themselves with the contemporary digital dynamics their children use regularly. This includes gaining an understanding of the various online communities that their children participate in, as well as communicating essential safe online practices and skills to their children. Adults are also encouraged to familiarize themselves with the colloquialisms minors use online and the platforms they frequent. By becoming familiar with these areas and simultaneously equipping children with such knowledge, guardians can play a pivotal role in ensuring everyone’s online safety and well-being.
Trend Vision One™️ enables security teams to continuously identify the attack surface, including known, unknown, managed, and unmanaged cyber assets. It automatically prioritizes risks, including vulnerabilities, for remediation, taking into account critical factors such as the likelihood and impact of potential attacks. Vision One offers comprehensive prevention, detection, and response capabilities backed by AI, advanced threat research, and intelligence. This leads to faster mean time to detect, respond, and remediate, improving the overall security posture and effectiveness.
When uncertain of intrusions, behaviors, and routines, assume compromise or breach immediately to isolate affected artifacts or tool chains. With a broader perspective and rapid response, an organization can address these and keep the rest of its systems protected. Organizations should consider a cutting-edge multilayered defensive strategy and comprehensive security solutions such as Trend Micro™ XDR that can detect, scan, and block malicious content across the modern threat landscape.
Our commitment to online safety
Trend Micro is committed to digital safety through our Trend Micro Initiative for Education , our outreach program that aims to improve internet safety awareness, digital literacy, and malware defense capabilities for a safer digital world. Our initiatives and participation for security and safety include but are not limited to:
If you receive a swatting threat or information that an individual is planning to engage in swatting activities, please report it to local law enforcement and/or the Federal Bureau of Investigation (FBI) at 1-800-CALL-FBI immediately.
By: Peter Girnus, Aliakbar Zahravi June 15, 2023 Read time: 7 min (2020 words)
We looked into the documented behavior of SeroXen malware and noted the inclusion of the latest iteration of the batch obfuscation engine BatCloak to generate a fully undetectable (FUD) .bat loader. This is the second part of a three-part series documenting the abuse of BatCloak’s evasion capabilities and interoperability with other malware.
The recent rise of highly sophisticated malware’s ability to evade detection through fully undetectable (FUD) capabilities, low-cost financial accessibility, and minimal skill barriers have created a pervasive threat targeting online communities and organizations. One particular malware known as SeroXen has deployed an advanced, fully undetectable (FUD) technique via highly obfuscated batch files to infect victims with hVNC-(Hidden Virtual Network Computing) capable malware.
This entry is the second installment of a three-part series featuring BatCloak engine, its iterations, and inclusion in SeroXen malware as the main loading mechanism. The first entry, titled “The Dark Evolution: Advanced Malicious Actors Unveil Malware Modification Progression,” looked into the beginnings and evolution of the BatCloak obfuscation engine. The third part of this series, “SeroXen Mechanisms: Exploring Distribution, Risks, and Impact,” analyzes the distribution mechanism of SeroXen and BatCloak, including the security impact and insights of FUD batch obfuscation. As of this writing, a quick online search for SeroXen will show top results for an official website and social media and sharing pages with videos on how to use the remote access trojan (RAT) as if it were a legitimate tool. We will go over these dissemination strategies in the subsequent entry.
SeroXen’s FUD batch patterns
To attain FUD status, the obfuscation patterns employed in SeroXen have shown multilayered tiers in its evolution, evolving from notable predecessors such as Jlaive, BatCloak, CryBat, Exe2Bat, and ScrubCrypt. Notably, the author of these FUD tools is acknowledged as a contributor in various instances, including attributions present on the main SeroXen website and forum posts authored by the individual behind SeroXen.
Examining the SeroXen infection chain
Figure 1. SeroXen infection chain
To successfully initiate the infection process, the targeted user is lured into executing a batch file. These lures are often presented as software-specific to enthusiast groups such as gaming communities. The infection process’ efficiency is enhanced because of the batch file’s FUD capability.
We found a compilation of compromised archives associated with cheats pertaining to prominent game titles. Each of these archives harbors a highly obfuscated batch file that serves as the infection vector initiating a SeroXen infection. Alarmingly, none of the archives exhibited any form of security solution detection. In most instances, these malicious archives are hosted on the Discord CDN (content delivery network) catering to specific interested communities, but they could also be hosted on any number of cloud storage options as well as special interest forums.
Taking a visual representation of a SeroXen sample submitted to a public repository under the false pretense of being a popular online video game cheat, the sample showcases the comprehensive concealment capabilities inherent. Through investigative analysis, we found a consistent pattern in the dimensions of SeroXen’s obfuscated batch files, which commonly exhibit sizes ranging from approximately 10MB to 15MB.
Figure 2. Gaming lures with no detections
Analyzing the obfuscation patterns deployed by SeroXen
To develop a comprehensive understanding of the obfuscation algorithm utilized within SeroXen, we conducted an in-depth examination on a multitude of heavily obfuscated batch files. The figure sample exhibits an obfuscated SeroXen batch payload camouflaged under the guise of a Fortnite hack.
Figure 3. SeroXen obfuscated batch payload
The batch obfuscation patterns implemented by the SeroXen FUD algorithm can be summarized as follows:
Suppression of console output through the inclusion of the directive “@echo off”
Utilization of sophisticated string manipulation techniques to obfuscate the initial “set” command
Assignment of the “set” command to a user-defined variable
Assignment of equal operations (“=”) to a user-defined variable
Utilization of steps 3 and 4 to assign values to the additional user-defined variables
Concatenation of variables at the conclusion of the obfuscation process to construct a command, which is subsequently executed
Furthermore, our investigation showed that the implementation of layered obfuscation techniques alongside the incorporation of superfluous code fragments or “junk code” were employed to impede the analysis of the batch file hindering detections.
Summary of commands executed during the SeroXen infection process
We break down the core commands concatenated and executed in order to infect the victim as follows:
Ensure all batch commands run are suppressed with “@echo off”
Copy the PowerShell executable from System32 to the current directory
Set the current directory
Name this copied PowerShell after the batch filename with an appended .exe, such as <mal_bat>.exe
Use the PowerShell command to decrypt and execute the encrypted payload
Build the final PowerShell command used to decrypt the final payload
Use the static operator to decrypt the final payload
Analyzing the deobfuscated SeroXen batch files
During our technical analysis of FUD-enabled SeroXen batch payloads, we were able to deobfuscate the commands associated with its execution and patch key points in its operation to dump the deobfuscated version.
Figure 4. Deobfuscated SeroXen batch payload
If we compare the deobfuscated sample presented with the highly obfuscated sample (Figure 3), we can demonstrate the core function of the batch script: to generate a series of set commands in an obfuscated manner to evade detection. We see the result of the numerous obfuscated set commands in its deobfuscated equivalent. Throughout the obfuscated batch file, numerous variables are concatenated together to be executed.
The PowerShell command to be executed in the FUD obfuscated batch file is a series of hidden PowerShell commands used to decrypt and deliver the .Net loader.
Figure 6 . Final PowerShell command executed in the SeroXen batch file
The deobfuscated sequence of PowerShell commands decrypt the payload and employ an assembly reflection mechanism to reflectively load it. The essential characteristics of the final sequence of PowerShell commands include:
Decode payload using Base64
Decrypt payload using AES OR XOR algorithm. In the case of AES:
Instantiate an AES decryption object with the cipher block chaining (CBC) mode
Use a Base64 blob for the key and IV
Unzip the payload
Reflectively load the payload
From the next figure, we demonstrate how the C# loader is decrypted from the deobfuscated batch files, after which we unzip the decrypted archive to drop the .Net binary.
We decoded the payload using Base64, which is then AES-decrypted using the deobfuscated Key and IV and finally gunzipped to reveal the .Net loader. This payload is then loaded into memory using reflection.
Figure 7. Using Python to decrypt the .Net loader
Deep dive into SeroXen builder
Figure 8. Obfuscated builder
The SeroXen builder binary file is protected by the Agile .NET. After unpacking the functions and builder resources, this section shows that SeroXen is a modified version of Quasar RAT with a rootkit and other modifications, such as adopting the loader builder Jlaive and BatCloak obfuscation engine to generate a FUD .bat loader. The evolution and technical analysis of Jlaive and BatCloak was discussed in part 1 of this series.
Figure 9 . Unpacked builder resources (left) and builder function names (right) a modified version of Quasar RAT in its arsenalFigure 10. SeroXen builder adopting Jlaive and BatCloak source codes
As of this writing, SeroXen offers monthly and lifetime key options for purchase online, as well as instructions for using the RAT. We go over this in detail in the third installment of this series as part of the cybercriminals’ distribution strategies.
Figure 11. SeroXen builder usage instruction
SeroXen payload generation process
Upon pressing the “build” button, the builder writes the user-given configuration to the pre-compiled file called “client.bin,” and this produces the Quasar RAT payload and passes it to a function called “Crypt.”
Figure 12. SeroXen vs Quasar RAT payload generation
The Crypt function employs the Jlaive crypter multi-stage loader generator and BatCloack obfuscator source code to produce undetectable loaders. This function first reads the Quasar RAT payload content and verifies if it is a valid .NET assembly. Crypt then patches some string and opcode within the binary and encrypts it using the AES algorithm with CBC cipher mode, and saves it as “payload.exe.”
Figure 13. Payload encryption and obfuscation process
Much like a Jlaive crypter, the builder takes in user configuration and produces the first loader. This is achieved using a C# template file, “Quasar.Server.Stub.cs,” found embedded within its resources. The author has integrated an extra functionality in this adapted version of the Jlaive CreateCS function such as API unhooking.
Figure 14. Create C# loader
Apiunhooker.dll is an open-source project called “SharpUnhooker,” which is a C#-based universal API unhooker that automatically Unhooks API Hives (i.e., ntdll.dll, kernel32.dll, advapi32.dll, and kernelbase.dll). This technique is used to attempt evading user-land monitoring done by antivirus technologies and/or endpoint detection and response (EDR) solutions by cleansing or refreshing API DLLs that loaded during the process.
The builder subsequently compiles the C# loader stub, adding necessary files and dependencies such as encrypted Quasart RAT (payload.exe) and SharpUnhooker (Apiunhooker.dll) to its resources.
Figure 15. C# loader compilation
Next, the builder compresses the C# loader, encrypts it using AES/XOR (depending on the configuration), and encodes it in Base64. Finally, it creates a batch file and includes the encoded C# loader binary into it. It also manages the compression, decoding, and decryption processes using an obfuscated PowerShell script, which is also appended to the batch file.
The batch file’s role is to deobfuscate the PowerShell script and execute it. This PowerShell script scans the content of the batch file for the value following “::“, extracts this value, decodes it, decompresses it, decrypts it, and finally executes it in memory.
Figure 16. Creating and writing encrypted data to a batch file, and deleting temporary filesFigure 17. Generating an obfuscated batch loader (top) and PowerShell loader (bottom)
Two PowerShell templates, “Qusar.Server.AESStub.ps1” and “Quasar.Server.XORStub.ps1,” exist in the resource section of the builder. Depending on the configuration, one of these will be loaded and utilized.
Figure 18. PowerShell stub
Conclusion
In this entry, we include a Yara rule that organizations and security teams can use to detect SeroXen obfuscated batch files. Additionally, here’s a PowerShell script that can reveal the final deobfuscated batch file and commands to be run.It is critically important that this PowerShell script be run in an isolated malware sandbox.This script can be used to deobfuscate the SeroXen batch file where security teams can inspect its output file for the PowerShell command to be executed in the deobfuscation routine. By inspecting this deobfuscated payload, the analyst can grab the Key and IV from the PowerShell command to decrypt the final payload.
Overall, SeroXen is a full-feature remote administration tool (RAT) coded in C# and built using a combination of various open-source projects that work together to generate a FUD payload. Reportshaveemerged of SeroXen being abused for several infections and attacks. We foresee the evolved BatCloak engine at the core of SeroXen’s FUD capabilities as the BatCloak obfuscation engine continues to evolve and be used as a FUD tool for future malware attacks.
Individuals are strongly advised to adopt a skeptical stance when encountering links and software packages associated with terms such as “cheats,” “hacks,” “cracks,” and other pieces of software related to gaining a competitive edge. Users, developers, gamers, and enthusiasts are also advised to exercise caution when executing batch files obtained from the internet. Additionally, organizations are encouraged to stay vigilant against phishing attacks that might attempt to entice users to download and run batch installers (e.g., scripting and automation of repetitive tasks).
Organizations should consider employing a cutting edge multilayered defensive strategy and comprehensive security solutions, such as Trend Micro™ XDR, that can detect, scan, and block malicious content such as SeroXen and BatCloak across the modern threat landscape. An extended detection and response capability across endpoint, servers, workloads, email, network, cloud, and identity observed from a single platform like Trend Vision One™️ can mitigate these risks by considering adversarial tactics, techniques, and procedures (TTPs) to profile the entirety of a routine. Learn more about how the Zero Day Initiative (ZDI) bug bounty program rewards researchers for responsible vulnerability disclosure as well as protects organizations globally and stay up to date on the latest news regarding mission critical security patches.
By: Peter Girnus, Aliakbar Zahravi June 09, 2023 Read time: 3 min (681 words)
We look into BatCloak engine, its modular integration into modern malware, proliferation mechanisms, and interoperability implications as malicious actors take advantage of its fully undetectable (FUD) capabilities.
UPDATE as of 6/15/2023 7:30PM (PHT): We’ve updated this entry to include indicators of compromise (IOCs) for BatCloak.
In our recent investigation, we discovered the use of heavily obfuscated batch files utilizing the advanced BatCloak engine to deploy various malware families at different instances. Running analysis and sample collection from September 2022 to June 2023, we found that these batch files are designed to be fully undetectable (FUD) and have demonstrated a remarkable ability to persistently evade security solutions. As a result, threat actors can load various malware families and exploits by leveraging highly obfuscated batch files seamlessly. Our initial research titled “The Dark Evolution: Advanced Malicious Actors Unveil Malware Modification Progression” delves into the continuing evolution of BatCloak, uncovering the modifications that have propelled modern malware to new levels of security evasion.
This is the first entry in a three-part technical research series taking an in-depth look at the continuing evolution of the highly evasive batch obfuscation engine BatCloak. The second part of this series, “SeroXen Incorporates Latest BatCloak Engine Iteration,” will look into the remote access trojan (RAT) SeroXen, a piece of malware gaining popularity for its stealth and, in its latest iterations, targets gamers, enthusiast communities, and organizations. Aside from the RAT’s own tools, we will look into the updated BatCloak engine included as SeroXen’s loading mechanism. The third and last part of this series, “SeroXen Mechanisms: Exploring Distribution, Risks, and Impact,” will detail the distribution mechanisms of SeroXen and BatCloak. We also include our security insights on the community and demographic impact of this level of sophistication when it comes to batch FUD obfuscation.
Defying detection: A preview of BatCloak engine’s efficacy
We analyzed hundreds of batch samples sourced from a public repository. The results showed a staggering 80% of the retrieved samples exhibiting zero detections from security solutions. This finding underscores the ability of BatCloak to evade traditional detection mechanisms employed by security providers. Moreover, when considering the overall sample set of 784, the average detection rate was less than one, emphasizing the challenging nature of identifying and mitigating threats associated with BatCloak-protected pieces of malware.
Figure 1. BatCloak detection counts from a public repository; samples and detection results collected from September 2022 to June 2023
Understanding the evolving landscape of advanced malware techniques such as FUD obfuscator BatCloak enables us to develop more effective strategies for combating the ever-evolving threats posed by these sophisticated adversaries. These findings highlight the pressing need for enhanced approaches to malware detection and prevention, such as a cutting-edge multilayered defensive strategy and comprehensive security solutions.
Security teams and organizations are advised to exercise a zero-trust approach. Teams should implement solutions capable of combining multiple rules, filters, and analysis techniques, including data stacking and machine learning to address the need for precise detection, as these tools can analyze individual and dynamic file signatures and observe patterns via heuristics and behavioral analysis. When uncertain of intrusions, behaviors, and routines, assume compromise or breach immediately to isolate affected artifacts or tool chains. With a broader perspective and rapid response, an organization can address these and keep the rest of its systems protected. Multilayered technologies and solutions, such as Trend Micro XDR™️, efficiently monitor, detect, and block tiered threats and attacks, as well as their clones and modified versions.
Instead of marking the end of an infection or an attack prior to the target because of siloed solutions, an extended detection and response capability across endpoint, servers, workloads, email, network, cloud, and identity observed from a single platform like Trend Vision One™️ can mitigate these risks by considering adversarial tactics, techniques, and procedures (TTPs) to profile the entirety of a routine. Trend Vision One also correlates with a connected threat intelligence system and rapidly prioritizes and responds with the necessary security and defensive actions as far left of the routine as possible.
Download the first part of our analysis on BatCloak engine here, and the indicators of compromise (IOCs) here and below :
By: Lucas Silva, RonJay Caragay, Arianne Dela Cruz, Gabriel Cardoso June 30, 2023 Read time: 7 min (1889 words)
Recently, the Trend Micro incident response team engaged with a targeted organization after having identified highly suspicious activities through the Targeted Attack Detection (TAD) service. In the investigation, malicious actors used malvertising to distribute a piece of malware via cloned webpages of legitimate organizations. In this case, the distribution involved a webpage of the well-known application WinSCP, an open-source Windows application for file transfer.
Advertising platforms like Google Ads enable businesses to display advertisements to target audiences to boost traffic and increase sales. Malware distributors abuse the same functionality in a technique known as malvertising, where chosen keywords are hijacked to display malicious ads that lure unsuspecting search engine users into downloading certain types of malware.
The targeted organization conducted a joint investigation with the Trend team and discovered that cybercriminals performed the following unauthorized and malicious activities within the company’s network:
Stole top-level administrator privileges and used these privileges to conduct unauthorized activities
Attempted to establish persistence and backdoor access to the customer environment using remote management tools like AnyDesk
Attempted to steal passwords and tried to access backup servers
It is highly likely that the enterprise would have been substantially affected by the attack if intervention had been sought later, especially since the threat actors had already succeeded in gaining initial access to domain administrator privileges and started establishing backdoors and persistence.
The following chart represents how the infection starts.
Figure 1. Infection chain of the observed attack
In the following sections, we discuss the details of this case: how threat actors made the initial access, what kind of attacks they carried out, and the lessons that can be drawn from this event.
Deep dive into the infection chain
The infection starts once the user searches for “WinSCP Download” on the Bing search engine. A malicious ad for the WinSCP application is displayed above the organic search results. The ad leads to a suspicious website containing a tutorial on how to use WinSCP for automating file transfer.
Figure 2. A suspicious site from a malvertisement
From this first page, the user is then redirected to a cloned download webpage of WinSCP (winsccp[.]com). Once the user selects the “Download” button, an ISO file is downloaded from an infected WordPress webpage (hxxps://events.drdivyaclinic[.]com). Recently, the malicious actor changed their final stage payload URL to the file-sharing service 4shared.
Figure 3. Malicious download site
The overall infection flow involves delivering the initial loader, fetching the bot core, and ultimately, dropping the payload, typically a backdoor.
In summary, the malicious actor uses the following malvertising infection chain:
A user searches for an application by entering a search term in a search bar (such as Google or Bing). In this example, the user wants to download the WinSCP application and enters the search term “WinSCP Download” on the Bing search bar.
Above the organic search results, the user finds a malvertisement for the WinSCP application that leads to a malicious website.
Once the user selects the “Download” button, this begins the download of an ISO file to their system.
On Twitter, user @rerednawyerg first spotted the same infection chain mimicking the AnyDesk application. Once the user mounts the ISO, it contains two files, setup.exe and msi.dll. We list the details of these two files here:
Setup.exe: A renamed msiexec.exe executable
Msi.dll: A delayed-loaded DLL (not loaded until a user’s code attempts to reference a symbol contained within the DLL) that will act as a dropper for a real WinSCP installer and a malicious Python execution environment responsible for downloading Cobalt Strike beacons.
Figure 4. The files downloaded once a user mounts the ISO
Once setup.exe is executed, it will call the msi.dll that will later extract a Python folder from the DLL RCDATA section as a real installer for WinSCP to be installed on the machine. Two installations of Python3.10 will be created — a legitimate python installation in %AppDataLocal%\Python-3.10.10 and another installation in %Public%\Music\python containing a trojanized python310.dll. Finally, the DLL will create a persistence mechanism to make a run key named “Python” and the value C:\Users\Public\Music\python\pythonw.exe.
Figure 5. The run key named “Python”
When the executable pythonw.exe starts, it loads a modified/trojanized obfuscated python310.dll that contains a Cobalt Strike beacon that connects to 167[.]88[.]164[.]141.
The following command-and-control (C&C) servers are used to obtain the main beacon module:
File name
C&C
pp.py
hxxps://167.88.164.40/python/pp2
work2.py
hxxps://172.86.123.127:8443/work2z
work2-2.py
hxxps://193.42.32.58:8443/work2z
work3.py
hxxps://172.86.123.226:8443/work3z
Multiple scheduled tasks executing batch files for persistence were also created in the machine. These batch files execute Python scripts leading to in-memory execution of Cobalt Strike beacons. Interestingly, the Python scripts use the marshal module to execute a pseudo-compiled (.pyc) code that is leveraged to download and execute the malicious beacon module in memory.
The Trend Vision One™ platform was able to generate the following Workbench for the previously mentioned kill chain.
Figure 6. Kill chain for the executed malware
The threat actor used a few other tools for discovery in the customer’s environment. First, they used AdFind, a tool designed to retrieve and display information from Active Directory (AD) environments. In the hands of a threat actor, AdFind can be misused for enumeration of user accounts, privilege escalation, and even password hash extraction.
In this case, the threat actor used it to fetch information on the operating system using the command adfind.exe -f objectcategory=computer -csv name cn OperatingSystem dNSHostName. The command specifies that it wants to retrieve the values of the name, common name (CN), operating system, and dNSHostName attributes for each computer object and output its result in a CSV format.
The threat actor used the following PowerShell command to gather user information and to save it into a CSV file:
We also observed that the threat actor used AccessChk64, a command-line tool developed by Sysinternals that is primarily used for checking the security permissions and access rights of objects in Windows. Although the threat actor’s purpose for using the tool in this instance is not clear, it should be noted that the tool can be used for gaining insights on what permissions are assigned to users and groups, as well as for privilege escalation and the identification of files, directories, or services with weak access control settings.
The threat actor then used findstr, a command-line tool in Windows used for searching strings or regular expressions within files by using the command findstr /S /I cpassword \\<REDACTED>\sysvol\<REDACTED>\policies\*.xml.
It is possible that the purpose of this command is to identify any XML files that contain the string cpassword. This is interesting from a security context since cpassword is associated with a deprecated method of storing passwords in Group Policy Preferences within AD.
Figure 7. How finsdtr is used in the attack
We also observed the execution of scripts with PowerShell. For instance, the command IEX (New-Object Net.Webclient).DownloadString(‘hxxp://127[.]0[.]0[.]1:40347/’); Invoke-FindLocalAdminAccess -Thread 50” it invokes a PowerShell function called Invoke-FindLocalAdminAccess and passes the parameter -Thread with a value of 50. This function is likely part of a script that performs actions related to finding local administrator access on a system.
Another PowerShell script used by the threat actor was PowerView. PowerView, which belongs to the PowerSploit collection of scripts used to assist in penetration testing and security operations, focuses on AD reconnaissance and enumeration and is commonly used by threat actors to gather information about the AD environment.
PowerShell Expand-Archive command was used to extract the ZIP files.
WMI was used to launch CoBeacon remotely across the environment.
C:\WINDOWS\system32\cmd.exe /C wmic /NODE:”<REDACTED>” process call createC:\users\public\videos\python\pythonw.exe C:\users\public\videos\python\work2-2.py
To obtain high-privileged credentials and escalate privileges, the threat actor used a Python script also containing the marshal module to execute a pseudo-compiled code for LaZagne. Another script to obtain Veeam credentials following the same structure was also identified in the environment.
PsExec, BitsAdmin, and curl were used to download additional tools and to move laterally across the environment.
The threat actor dropped a detailed KillAV BAT script (KillAV is a type of malicious software specifically designed to disable or bypass antivirus or antimalware programs installed on a target system) to tamper with Trend protections. However, due to the agent’s Self-Protection features and VSAPI detections, the attempt failed. The threat actors also made attempts to stop Windows Defender through a different KillAV BAT script.
Finally, the threat actor installed the AnyDesk remote management tool (renamed install.exe) in the environment to maintain persistence.
Figure 8. Remote management tool installed for persistence
After a diligent and proactive response, the attacker was successfully evicted from the network before they could reach their goal or execute their final payload. The incident response team also presented immediate countermeasures as well as medium- and long-term security procedures for implementation.
BlackCat uses the same tools, techniques, and procedures (TTPs)
In another investigation, following the same TTPs described previously described, we were able to identify that this activity led to a BlackCat (aka ALPHV) infection. Along with other types of malware and tools already mentioned, we were able to identify the use of the anti-antivirus or anti-endpoint detection and response (EDR) SpyBoyterminator in an attempt to tamper with protection provided by agents.
In order to exfiltrate the customer data, the threat actor used PuTTY Secure Copy client (PSCP) to transfer the gathered information. Investigating one of the C&C domains used by the threat actor behind this infection also led to the discovery of a possible related Cl0p ransomware file.
Figure 9. Files indicating possible Cl0p ransomware file
Conclusion and recommendations
In recent years, attackers have become increasingly adept at exploiting vulnerabilities that victims themselves are unaware of and have started employing behaviors that organizations do not anticipate. In addition to a continuous effort to prevent any unauthorized access, early detection and response within an organization’s network is critical. Immediacy in remediation is also essential, as delays in reaction time could lead to serious damage.
By understanding attack scenarios in detail, organizations can not only identify vulnerabilities that could lead to compromise and critical damage but also take necessary measures to prevent them.
Organizations can protect themselves by taking the following security measures:
Educate employees about phishing. Conduct training sessions to educate employees about phishing attacks and how to identify and avoid them. Emphasize the importance of not selecting suspicious links and not downloading files from unknown sources.
Monitor and log activities. Implement a centralized logging system to collect and analyze logs from various network devices and systems. Monitor network traffic, user activities, and system logs to detect any unusual or suspicious behavior.
Define normal network traffic for normal operations. Defining normal network traffic will help identify abnormal network traffic, such as unauthorized access.
Improve incident response and communication. Develop an incident response plan to guide your organization’s response in case of future breaches. Establish clear communication channels to inform relevant stakeholders, including employees, customers, and regulatory bodies, about a breach and the steps being taken to address it.
Engage with a cybersecurity professional. If your organization lacks the expertise or resources to handle the aftermath of a breach effectively, consider engaging with a reputable cybersecurity firm to assist with incident response, forensic analysis, and security improvements.
Indicators of Compromise (IOCs)
The full list of IOCs can be found here and below :
Office 365 requires connectivity to the Internet. The endpoints below should be reachable for customers using Office 365 plans, including Government Community Cloud (GCC).
Start with Managing Office 365 endpoints to understand our recommendations for managing network connectivity using this data. Endpoints data is updated as needed at the beginning of each month with new IP Addresses and URLs published 30 days in advance of being active. This cadence allows for customers who don’t yet have automated updates to complete their processes before new connectivity is required. Endpoints may also be updated during the month if needed to address support escalations, security incidents, or other immediate operational requirements. The data shown on this page below is all generated from the REST-based web services. If you’re using a script or a network device to access this data, you should go to the Web service directly.
Endpoint data below lists requirements for connectivity from a user’s machine to Office 365. For detail on IP addresses used for network connections from Microsoft into a customer network, sometimes called hybrid or inbound network connections, see Additional endpoints for more information.
The endpoints are grouped into four service areas representing the three primary workloads and a set of common resources. The groups may be used to associate traffic flows with a particular application, however given that features often consume endpoints across multiple workloads, these groups can’t effectively be used to restrict access.
Data columns shown are:
ID: The ID number of the row, also known as an endpoint set. This ID is the same as is returned by the web service for the endpoint set.
Category: Shows whether the endpoint set is categorized as Optimize, Allow, or Default. This column also lists which endpoint sets are required to have network connectivity. For endpoint sets that aren’t required to have network connectivity, we provide notes in this field to indicate what functionality would be missing if the endpoint set is blocked. If you’re excluding an entire service area, the endpoint sets listed as required don’t require connectivity.You can read about these categories and guidance for their management in New Office 365 endpoint categories.
ER: This is Yes if the endpoint set is supported over Azure ExpressRoute with Office 365 route prefixes. The BGP community that includes the route prefixes shown aligns with the service area listed. When ER is No, this means that ExpressRoute is not supported for this endpoint set.Some routes may be advertised in more than one BGP community, making it possible for endpoints within a given IP range to traverse the ER circuit, but still be unsupported. In all cases, the value of a given endpoint set’s ER column should be respected.
Addresses: Lists the FQDNs or wildcard domain names and IP address ranges for the endpoint set. Note that an IP address range is in CIDR format and may include many individual IP addresses in the specified network.
Ports: Lists the TCP or UDP ports that are combined with listed IP addresses to form the network endpoint. You may notice some duplication in IP address ranges where there are different ports listed.
Note
Microsoft has begun a long-term transition to providing services from the cloud.microsoft namespace to simplify the endpoints managed by our customers. If you are following existing guidance for allowing access to required endpoints as listed below, there’s no further action required from you.
Default Optional Notes: Some Office 365 features require endpoints within these domains (including CDNs). Many specific FQDNs within these wildcards have been published recently as we work to either remove or better explain our guidance relating to these wildcards.
Default Optional Notes: Connection to the speech service is required for Office Dictation features. If connectivity is not allowed, Dictation will be disabled.
No
officespeech.platform.bing.com
TCP: 443
147
Default Required
No
*.office.com, www.microsoft365.com
TCP: 443, 80
152
Default Optional Notes: These endpoints enables the Office Scripts functionality in Office clients available through the Automate tab. This feature can also be disabled through the Office 365 Admin portal.
A TeamViewer company profile allows the ability within the TeamViewer Management Consoleto manage user permissions and access centrally.
Company admins can add existing users to the license and create new TeamViewer accounts. Both will allow users to log into any TeamViewer application and license the device so they may make connections.
Before starting
It is highly recommended to utilize a Master Account for a company profile, which will be the account that manages all licenses and users.
Each company profile must have one TeamViewer Core multi-userlicense activated; this license can be combined with other licenses of the TeamViewer product family (e.g., Assist AR, Remote Management, IoT, etc. ), but cannot be combined with another TeamViewer Core license.
📌Note: If a company admin attempts to activate a second TeamViewer license, they will need to choose between keeping the existing license or replacing it with the new license.
📌Note: In some cases (with older company profiles and an active perpetual license), multiple core TeamViewer licenses may be activated to one company profile. One subscription license may be added to an existing perpetual license for such company profiles.
License management
Through the TeamViewer Management Console, company admins can manage the licensing of their users directly, including:
Assign/un-assign the license to various members of the company profile.
Reserve one or more channels for specific teams or persons via Channel Groups.
💡Hint: To ensure the license on your company profile best matches your use case, we highly recommend reaching out to our TeamViewer licensing experts.You may find local numbers here.
How to create a company profile
To create a company profile, please follow the instructions below:
On the left-hand side, under the Company header, select User management
In the text box provided, enter the desired company name and click Create.
📌Note: The name of a company profile must be unique and cannot be re-used. If another company profile already uses a name, an error will appear, requesting another name be used instead.
Once the company profile is created, User management will load with the user that created the company profile as a company administrator.
How to add a new user
To add a new user, please follow the instructions below:
Under User management, click the icon of a person with a + sign. Click on Add user.
On the General tab, add the user’s name and email address and enter a password for the user and click Add user.
💡Hint: Other settings for the user can be adjusted under Advanced, Licenses, and Permissions.
The user will now appear under the User management tab. An email is sent to the user with instructions on activating their account.
📌Note: If the user does not activate their account via email, they will receive an error that the account has not yet been activated when trying to sign in.
How to add an existing user
Users that already have an existing TeamViewer account can request to join a company profile using a few simple steps:
Under User management, click the icon of a person with a + sign. Select Add existing account.
Once the user opens the link within a browser, they must sign in with their TeamViewer account. Once logged in, they will be prompted to enter the email address of the company administrator. Once completed, they must tick the box I allow to transfer my account and click Join Company.
The company admin will receive a join request via email. The user will appear in user management, where the company admin can approve or decline the addition of the user to the company profile
📌Notes:
Every user that joins a company profile will be informed that the company admin will take over full management of their account, including the ability to connect to and control all their devices. It is recommended never to join a company profile the user does not know or fully trust.
A user can only be part of one company profile.
How to set user permissions
Users of a company profile have multiple options that can be set by the current company admin, including promoting other users to administrator or company administrator. Permissions are set for each user individually. To access user permissions:
In the User management tab, hovering the cursor over the desired user’s account will produce a three-dots menu (⋮) to the far right of the account. Click this menu and select Edit user from the drop-down.
Once in Edit user, select the Permissions tab. Overall permissions for the account can be changed using the drop-down under the Role header.
Four options are available:
Company administrator: Can make changes to company settings, other administrator accounts, and user accounts.
User administrator: Can make changes to other user accountsbut cannot change company settings or company administrator accounts.
Member: Cannot change the company profile or other users.
Customized permissions: The company admin sets permissions for each aspect of the account.
Once the appropriate role is selected, click Save in the window’s upper-left corner.
📌Note: Changes to user permissions are automatic once saved.
How to remove/deactivate/delete users
Along with adding new or existing accounts, company admins can remove, deactivate, or even delete users from the company profile.
📌Note: A current company admin of that license can only remove a TeamViewer account currently connected to a company profile. TeamViewer Customer Support is unable to remove any account from a company profile.
To remove, deactivate or delete an account, please follow the instructions below:
In the User management tab, hovering the cursor over the desired user’s account will produce a three-dots menu (⋮) to the far right of the account. In the drop-down menu that appears are the three options
Select Delete account, Remove user or Deactivate user.
Consequences of deleting an account
When an account is deleted, the account is not only removed from the company profile but deleted from TeamViewer altogether. The user can no longer use the account or access any information associated with it as it no longer exists.
📌Note: When an account is deleted, the email address associated with the account can be re-used to create a new TeamViewer account.
When a TeamViewer account is deleted from a company profile:
Connection reports, custom modules, and TeamViewer/Remote management policies will be transferred to the current company admin.
Web API Tokens for the deleted user are logged out, and their company functionality is removed
License activations are removed from the deleted user’s account
Shared groups from the deleted user’s account are deleted.
Once the company admin checks the box to confirm that this process cannot be undone, the Delete account button becomes available. Once pressed, the account is deleted.
📌Note: Deletion of any TeamViewer account deletion is irreversible. Only a new account can be created after deletion. All user data will be lost.
Remove user
When an account is removed, the account is removed from the company profile and reverted to a free TeamViewer account. The account is reverted to a free account, and the user is still able to log in with the account. All information associated with the account is still accessible.
When an account is removed from a company profile:
Connection reports, custom modules, and TeamViewer /Remote management policies will be transferred to the current company admin.
Contacts in the contact bookare transferred to the current company admin
Web API Tokens for the user’s account are logged out and their company functionality is removed
License activations are removed from the user’s account
📌Note: Groups & devices in the Computers & Contacts of the removed user’s account are not affected. Any groups shared also will remain shared.
Once the company admin checks the box to confirm that this process cannot be undone, the Remove user button becomes available. Once pressed, the account is removed from the company profile and reverted to a free TeamViewer account.
📌Note: Once a user account is removed from the current company profile, it can request to join another company profile.
Deactivate user
When an account is deactivated, the account is reverted to inactive. The deactivated account is still associated with the company profile but cannot be used to log into TeamViewer on a free or licensed device. The account is rendered completely unusable.
📌Note: When an account is deactivated, the email address associated with the account cannot be used to create a new free TeamViewer account.
💡Hint: To view inactivated users within the company profile, select the drop-down menu under User Status and check the box for Inactive. All inactive users will now appear in user management.
How to reactivate inactive users
When Deactivate user is selected, the account disappears from user management. They are, however, still a part of the Company Profile and can be reactivated back to the license instantly at any time.
To view inactivated users within the company profile, select the menu under User Status and check the box for Inactive. All inactive users will now appear in user management.
Once the user is located, hover the cursor over the account. Select the three-dots menu (⋮) to the right of the user’s account and select Activate user
The user’s original permissions status is reverted, and the account can again be used with any TeamViewer device.
Troubleshooting
Below you will find answers to some common issues encountered when interacting with a company profile.
▹User(s) on a company profile show a free license
In some cases, older users on a company profile may appear as ‘free’ users, especially after upgrading or changing a license. The company admin can resolve this:
Click Company administration on the left-hand side:
Select the Licenses tab and locate the license. Hovering the cursor over the license will produce a three-dots menu (⋮). Click the menu and select Assign from the drop-down.
The users who show ‘free’ will appear in Unassigned. Select the desired users and click the Add button at the bottom of the page.
📌Note: Affected users should log out and then back in to see the licensing changes.
▹Your account is already associated with a company
If a user who is already associated with one company profile attempts to join another company profile, the following pop-up will appear:
The user’s account must be removed from the current company profile to resolve this. The steps required vary depending on whether it is their active or expired company profile or if they are associated with a company profile created by another account.
SCENARIO 1: As company administrator of an active company profile
If a user who created a company profile wishes to delete the company profile associated with their account, they will need to perform the following steps:
Remove all other accounts: Before deleting a company profile, the company admin must remove all other accounts. Perform these steps for each user on the company profile
Remove the company admin account: Once all other accounts have been removed, the company admin will remove their account. This will delete the company profile altogether
The user is immediately logged out and can now follow the process to add their account to an existing company profile
SCENARIO 2: As company administrator of an expired company profile
In some cases, the user may have created a company profile on an older license that is no longer used or active. In such cases, the company profile will appear as expired in the Management Console.
In such cases, it is still possible to delete the company profile:
Click Company administration on the left-hand side.
On the General tab, select Delete company.
A pop-up will appear confirming the request to delete the company profile. Check the box at the bottom to validate, and select Delete company.
SCENARIO 3: The account is a member of a company profile
📌Note: Only a company administrator can remove a user from their company profile – not even TeamViewer can remove a user from a company profile, regardless of the request’s origin.
If the user is a member of another company profile, they will need to contact the company admin of that license to request removal.
Once removed, they can then request to join the correct company profile.
You have the possibility to restrict remote access to your device by using the Block and Allowlist feature in the TeamViewer full version and the TeamViewer Host.
You can find the feature easily by clicking in your TeamViewer full version on the Gear icon (⚙) in the upper right corner of the TeamViewer (Classic) application, then Security ➜ Block and Allowlist.
Let´s begin with the difference between a blocklist and an allowlist.
This article applies to all TeamViewer (Classic) users.
What is a Blocklist?
The Blocklist generally lets you prevent certain partners or devices from establishing a connection to your computer. TeamViewer accounts or TeamViewer IDs on the blocklist cannot connect to your computer.
📌Note: You will still be able to set up outgoing TeamViewer sessions with partners on the blocklist.
What is an Allowlist?
If you add TeamViewer accounts to the Allowlist, only these accounts will be able to connect to your computer. The possibility of a connection to your computer through other TeamViewer accounts or TeamViewer IDs will be denied
If you have joined a company profile with your TeamViewer account, you can also place the entire company profile on the Allowlist. Thus only the TeamViewer accounts that are part of the company profile can access this device.
📌Note: To work with a company profile you will need a TeamViewer Premium or Corporate license
How to set up a Blocklist?
If you would like to deny remote access to your device to specific persons or TeamViewer IDs, we recommend setting up a Blocklist.
You can find the feature easily by clicking in your TeamViewer full version on the Gear icon (⚙) in the upper right corner of the TeamViewer (Classic) application, then Security ➜ Block and Allowlist ➜ Click on Configure…
A new window will open. Activate the first option Deny access for the following partners and click on Add
📌Note: If you activate the Also apply for meetings check box, these settings will also be applied to meetings. Contacts from your blocklist are excluded from being able to join your meetings.
After clicking on Add, you can either choose partners saved on your Computers & Contacts list or add TeamViewer IDs/contacts manually to your blocklist.
How to set up an Allowlist?
If you would like to allow only specific TeamViewer accounts or TeamViewer IDs remote access to your device, we recommend setting up an Allowlist.
You can find the feature easily by clicking in your TeamViewer full version on the Gear icon (⚙) in the upper right corner of the TeamViewer (Classic) application, then Security ➜ Block and Allowlist ➜ Click on Configure…
A new window will open. Activate the second option Allow access only for the following partners and click on Add
📌Note: If you activate the Also apply for meetings check box, these settings will also be applied to meetings. Only contacts from your allowlist will then be able to join your meetings.
After clicking on Add, you can either choose partners saved on your Computers & Contacts list, add TeamViewer IDs/contacts manually to your blocklist, or add the whole company you are part of (only visible if you are part of a company profile).
How to delete blocklisted/allowlisted partners?
If you no longer wish to have certain partners block or allowlisted, you can easily remove them from the list.
To do so navigate in your TeamViewer full version to the Gear icon (⚙) in the upper right corner of the TeamViewer (Classic) application, then Security ➜ Block and Allowlist ➜ Click on Configure… and choose whether you would like to remove partners from the Blocklist or from the Allowlist by choosing either Deny access for the following partners (Blocklist) or Allow access only for the following partner (Allowlist). Now click on the partners you would like to remove and finally click Remove ➜ OK
📌Note: You can choose multiple partners at once by pressing CTRG when clicking on the different partners.
This article provides a step-by-step guide to activating Two-factor authentication for connections (also known as TFA for connections).This feature enables you to allow or deny connections via push notifications on a mobile device.
This article applies to all Windows users using TeamViewer (Classic) 15.17 (and newer) and macOS and Linux users in version 15.22 (and newer).
What is Two-factor authentication for connections?
TFA for connections offers an extra layer of protection to desktop computers.
When enabled, connections to that computer need to be approved using a push notification sent to specific mobile devices.
Enabling Two-factor authentication for connections and adding approval devices
Windows and Linux:
1. In the TeamViewer (Classic) application, click the gear icon at the top right menu.
2. Click on the Security tab on the left.
3. You will find the Two-factor authentication for connections section at the bottom.
4. Click on Configure… to open the list of approval devices.
5. To add a new mobile device to receive the push notifications, click Add.
6. You will now see a QR code that needs to be scanned by your mobile device.
Below please find a step-by-step gif for Windows, Linux, and macOS:
Windows
Linux
macOS
7. On the mobile device, download and install the TeamViewer Remote Control app:
8. In the TeamViewer Remote Control app, go to Settings → TFA for connections.
9. You will see a short explanation and the option to open the camera to scan the QR code.
10. Tap on Scan QR code and you will be asked to give the TeamViewer app permission to access the camera.
11. After permission is given, the camera will open. Point the camera at the QR code on the desktop computer (see Step 6 above).
12. The activation will happen automatically, and a success message will be displayed.
13. The new device is now included in the list of approval devices.
14. From now on, any connection to this desktop computer will need to be approved using a push notification.
📌 Note:TFA for connections cannot be remotely disabled if the approval device is not accessible. Due to this, we recommend setting up an additional approval device as a backup.
Removing approval devices
1. Select an approval device from the list and click Remove or the X.
2. You will be asked to confirm the action.
3. By clicking Remove again, the mobile device will be removed from the list of approval devices and won’t receive any further push notifications.
4. If the Approval devices list is empty, Two-factor authentication for connections will be completely disabled.
Below please find a step by step gif for Windows, Linux and macOS:
▹ Windows:
▹ Linux:
▹ macOS:
Remote connections when Two-factor authentication for connections is enabled
TFA for connections does not replace any existing authentication method. When enabled, it adds an extra security layer against unauthorized access.
When connecting to a desktop computer protected by TFA for connections, a push notification will be sent to all of the approval devices.
You can either:
accept/deny the connection request via the system notification:
accept/deny the connection request by tapping the TeamViewer notification. It will lead to you the following screen within the TeamViewer application to accept/deny the connection:
Multiple approval devices
All approval devices in the list will receive a push notification.
The first notification that is answered on any of the devices will be used to allow or deny the connection.
TeamViewer offers the possibility to activate Account Recovery based on the zero-trust principle.
This is a major security enhancement for your TeamViewer account and a unique offering on the market.
This article applies to all users.
What is Zero Knowledge Account Recovery
In cases where you cannot remember your TeamViewer Account credentials, you click on I forgot my password, which triggers an email with a clickable link that leads you to the option of resetting your password.
The regular reset process leads you to a page where you can set a new password for your account.
The Zero Knowledge Account Recovery acts as another layer of security for this process as the reset process requires you to enter the unique 64 characters Zero Knowledge Account Recovery Code for your account to prove your identity. Important to note is that this happens without any intervention and knowledge of the TeamViewer infrastructure.
Activate Zero Knowledge Account Recover
To activate Zero Knowledge Account Recovery please follow the steps below:
2. Click Edit profile under your profile name (upper right corner).
3. Go to Security in the left menu
4. Click the Activate Zero knowledge account recovery button
📌 Note: The password recovery code is a unique 64 characters code that allows you to regain access if you forgot your password. It is absolutely essential that you print/download your recovery code and keep this in a secure place.
⚠ IMPORTANT: Without the recovery code you won’t be able to recover your account. Access to your account will be irreversibly lost. The data is encrypted with the key and you are the only owner of this key. TeamViewer has no access to it.
5. A PopUp window appears sharing the above information. Click on Generate Recovery Code to proceed.
6. The Recovery Code is shown. You have to download or print the code as well as you tick the check box confirming that you acknowledge and understand that if you lose your zero knowledge account recovery code, you won’t be able to recover your password and you will lose access to your account forever
⚠ Do not tick the box unless you understand the meaning.
7. Once you either downloaded or printed the recovery code and ticked the acknowledge box, you can activate the Zero knowledge account recovery by clicking Activate.
Deactivate Zero Knowledge Account Recovery
To deactivate Zero Knowledge Account Recovery please follow the steps below:
2. Click Edit profile under your profile name (upper right corner).
3. Go to Security in the left menu
4. Click the Deactivate Zero knowledge account recovery button
5. A PopUp appears. You have to tick the check box confirming that you acknowledge and understand that if you will be deactivating your zero knowledge account recovery
6. Click Deactivate to deactivate the Zero Knowledge Account recovery for your TeamViewer Account.
Reset your password
To reset your password for your TeamViewer account, please follow the steps below: (More info here: Reset account password)
