Hackers Attack AnyDesk Using Malvertising Campaign With Evasion Technique

AnyDesk is without doubt one of the well-known distant desktop functions, and just lately, the CrowdStrike cybersecurity researchers have detected that a complete malware community is repeatedly attacking AnyDesk. 

As per the specialists, this malware is coping with the supply of an armed set up of a really well-known software program utility.  

Probably the most fascinating truth of this malware is that they’re utilizing fraudulent Google adverts which might be penetrating the search community outcomes pages in order that the hackers can simply attain the unsuspecting customers.

Preliminary Detection

In response to the cybersecurity analysts of CrowdStrike report, the preliminary detection of this malware is that it’s utilizing the MITRE’s methodology T1036 to masquerade (Evasion method).

Aside from this, the malware bought an executable file that’s resembling to have been influenced to keep away from any form of detection. Not solely this however it’s also making an attempt to launch very sturdy PowerShell scripts which have the command line:-

“C:Intelrexc.exe” -exec bypass Intelg.ps1

Nevertheless, in an investigation, the specialists have detected a file “rexc.exe” that appears to be a renamed PowerShell binary, and right here the primary motive of this file is to bypass and keep away from detections which might be occurring.

Malvertisers developed the Legit AnyDesk app

After going by way of this malware, the specialists got here to know that the malicious marketing campaign is dispatching all of the assembled AnyDeskSetup.exe information which took off on April 21. 

When these information have been being executed, the specialists seen that they’re downloading a PowerShell implant, that’s repeatedly exfiltrating all the information and knowledge from the affected system.

Malvertising Marketing campaign

The people who find themselves looking out AnyDesk on Google have been being served by the malicious Google adverts which have been positioned by the menace actors, and that is taking place from April 21, 2021.

Nevertheless, this malicious marketing campaign is utilizing middleman websites, which may later be redirected to a social engineering web page at a particular URL that’s https://anydesk.s3-us-west-1.amazonaws[.]com/AnydeskSetup.exe, and all of the pages which might be hosted on this URL is a clone of the authorized AnyDesk web site.

Middleman web sites used

The middleman web sites utilized by the menace actors are talked about beneath:-

  • turismoelsalto[.]cl
  • rockministry[.]org
  • curaduria3[.]com

After the investigation, the safety researchers have come to know that the menace actors are spending $1.75 per click on. Nevertheless, the specialists acknowledged that this methodology is not going to assist the menace actors to get a shell on the focused assault that they need.

However the utilization of malicious Google adverts is a fairly efficient methodology to get a powerful option to gown mass deployment of shells. That’s why the analysts affirmed that AnyDesk is kind of a standard goal for the menace actors, so, customers should keep conscious of those assaults.

You’ll be able to observe us on LinkedinTwitterFacebook for each day Cybersecurity and hacking information updates.


Please enter your comment!
Please enter your name here