AnyDesk is a useful remote desktop access tool that has been installed by more than 300 million users. Unfortunately, hackers found a way to trojanize the application in a recent malvertising campaign.
Legitimate AnyDesk App Tarteged by Malvertisers
Cybersecurity researchers from CrowdStrike reported the discovery of an entire malvertising network targeting AnyDesk and delivering a weaponized installed of the popular software utility. To reach unsuspecting users, the hackers used rogue Google ads that infiltrated the search network’s result pages. It is most likely that the malicious campaign delivering the weaponized AnyDeskSetup.exe file took off on April 21. Upon execution, the file downloaded a PowerShell implant that exfiltrated information from infected systems.
The detection of the malvertising campaign happened with the help of the CrowdStrike Falcon platform. “The initial activity triggered a detection within the CrowdStrike Falcon® platform, tagged with MITRE’s technique T1036, “Masquerading,” the report said. The researchers also discovered a manipulated executable that evaded detection, attempting to lunch a PowerShell script using a specific command line.
The PowerShell script can be described as a typical backdoor. The more intriguing part of the operation is the entire intrusion mechanism, showing that it is more than your regular malvertising effort. The hackers used malicious Google ads to serve the weaponized app to users searching for the popular AnyDesk tool. Upon clicking the fake ad, the user would be redirected to a social engineering page that looked like the legitimate AnyDesk website. The user would also be provided with a link to the dangerous installer.
According to the CrowdStrike research, 40% of the clicks on the malicious ad led to actual installations of the trojanized AnyDesk binary. 20% of the clicks were followed by specific keyboard activity that the threat actors were after. These statistics prove that the entire campaign has an overall excellent success rate:
CrowdStrike’s internal available data suggests that 40% of clicks on this malicious ad turned into installations of this trojanized AnyDesk binary, and 20% of installations included follow-on hands-on-keyboard activity.
While it is unknown what percentage of Google searches for AnyDesk resulted in clicks on the ad, a 40% Trojan installation rate from an ad click shows that this is an extremely successful method of gaining remote access across a wide range of potential targets.
Full technical disclosure of the malvertising campaign is available in the original report.
Previously Detected Malvertising Operations
In February, a malvertising campaign coordinated by the ScamClub group exploited a zero-day in WebKit-based browsers. The end goal of the operation was to inject malicious payloads that redirect users to sites designed for gift card scams. The malvertising campaign, first observed by Confiant in June last year, exploited the critical CVE-2021-1801 vulnerability. According to the official information, the vulnerability was first discovered in Apple macOS up to 11.1 by researcher Eliya Stein of Confiant.