Malvertised Fake AnyDesk: Trojanized AnyDesk found on Google Ads

Cybersecurity researchers at crowdstrike revealed the takedown of a sophisticated malvertising network that targeted AnyDesk and delivered a weaponized installation of the remote desktop software via fake Google adverts in search results pages on Wednesday.

 

The campaign, which is thought to have started on April 21, 2021, contains a malicious file that disguised as an AnyDesk setup executable (AnyDeskSetup.exe), which, when executed, downloads a PowerShell implant that collects and exfiltrates system data.

 

Instead of the original developers “philandro Software GmbH”, the file’s fraudulent executable was signed by “Digital IT Consultants Plus Inc”.

 

“The script had some obfuscation and multiple functions that resembled an implant, as well as a hard-coded domain (zoomstatistic[.]com) to ‘POST’ reconnaissance information such as username, hostname, operating system, IP address, and the current process name,” Crowdstrike researchers stated in their analysis.

 

AnyDesk’s remote desktop access solution has been downloaded by over 300 million people globally, according to the company’s website.

 

Although the cybersecurity firm was unable to pinpoint a single threat actor, it thought the illegal cyber activity was part of a larger operation affecting a wide spectrum of consumers.

 

The PowerShell script has all of the hallmarks of a typical backdoor, but it is during the intrusion route that the attack comes together and signals that it is more than just a routine data collection operation – the AnyDesk installer is distributed via malicious Google Ads placed by the threat actor and then sent to unsuspecting individuals who Google for AnyDesk.

 

 

Malvertising, Trojanized Anydesk, Infected Installer, Fake anydesk App, Google AdWords, Hacks, Malware, Vulnerabilities, Web Security, Mobile Security, Privacy, Malicious ad campaign, Anydesk Malware, Anydesk virus, malvertising anydesk, anydesk.exe malware, anydesk Malwarebytes, anydesk crowdstrike, anydesk ransomware attack, anydesk, Computer Security, computers, cyber news, cyber security news, cyber security news today, cyber security updates, cyber updates, cyberattack, cyberattacks, cybercrime, cybercriminals, cybersafe news, cybersecurity, dark web, data breach, Data leak, data stealing malware, DDoS, Distributed Denial of Service, remote desktop app, fake malware, hacker news, information security, InfoSec, infosec news, linux, Mac, Malware, malware removal, network security, crowdstrike, online security, personal data exposed, ransomware, ransomware attack, ransomware gang, ransomware group, ransomware malware, ransomware news, RCE, Remote Access Trojan, Remote Code Execution, rootkit, Security, smartphone, software vulnerability, spyware, Supply Chain, support, system update app, system update malware app, tech, tech news, tech support, tech updates, technical support, Telegram, trojan, virus, virus removal, Vulnerability, what is ransomware, remote desktop app virus, remote desktop malware
Source: CrowdStrike(AnyDesk search result)

 

 

When visitors click on the fake ad, they are redirected to a social engineering page that is a clone of the official AnyDesk website, as well as a link to the trojanized installer.

 

 

Malvertising, Trojanized Anydesk, Infected Installer, Fake anydesk App, Google AdWords, Hacks, Malware, Vulnerabilities, Web Security, Mobile Security, Privacy, Malicious ad campaign, Anydesk Malware, Anydesk virus, malvertising anydesk, anydesk.exe malware, anydesk Malwarebytes, anydesk crowdstrike, anydesk ransomware attack, anydesk, Computer Security, computers, cyber news, cyber security news, cyber security news today, cyber security updates, cyber updates, cyberattack, cyberattacks, cybercrime, cybercriminals, cybersafe news, cybersecurity, dark web, data breach, Data leak, data stealing malware, DDoS, Distributed Denial of Service, remote desktop app, fake malware, hacker news, information security, InfoSec, infosec news, linux, Mac, Malware, malware removal, network security, crowdstrike, online security, personal data exposed, ransomware, ransomware attack, ransomware gang, ransomware group, ransomware malware, ransomware news, RCE, Remote Access Trojan, Remote Code Execution, rootkit, Security, smartphone, software vulnerability, spyware, Supply Chain, support, system update app, system update malware app, tech, tech news, tech support, tech updates, technical support, Telegram, trojan, virus, virus removal, Vulnerability, what is ransomware, remote desktop app virus, remote desktop malware
Source: CrowdStrike(Clone of AnyDesk website)

 

 

According to the researchers, hackers paid around $1.75 per click.

 

According to CrowdStrike, 40% of clicks on the malicious ad resulted in the installation of the AnyDesk malware, with 20% of those installations included hands-on-keyboard action.

 

While it is unknown what percentage of Google searches for AnyDesk resulted in ad clicks, a 40% Trojan installation rate from an ad click shows that this is an extremely successful method of gaining remote access across a wide range of potential targets, according to security researchers.

 

The company also stated that it informed Google of its findings, and that Google took quick measures to remove the offending ad.

 

 

Also read: Forget DARK WEB. Telegram is the new marketplace for illegal activities and cybercrime

 

You might also like: Japanese government suffers a data breach after Fujitsu hack

 

You might also like: Cybercriminals use fake foundations to target Uyghur Minority

 

You might also like: Iranian hacking group Agrius launch data wiper malware