Cybersecurity researchers at crowdstrike revealed the takedown of a sophisticated malvertising network that targeted AnyDesk and delivered a weaponized installation of the remote desktop software via fake Google adverts in search results pages on Wednesday.
The campaign, which is thought to have started on April 21, 2021, contains a malicious file that disguised as an AnyDesk setup executable (AnyDeskSetup.exe), which, when executed, downloads a PowerShell implant that collects and exfiltrates system data.
Instead of the original developers “philandro Software GmbH”, the file’s fraudulent executable was signed by “Digital IT Consultants Plus Inc”.
“The script had some obfuscation and multiple functions that resembled an implant, as well as a hard-coded domain (zoomstatistic[.]com) to ‘POST’ reconnaissance information such as username, hostname, operating system, IP address, and the current process name,” Crowdstrike researchers stated in their analysis.
AnyDesk’s remote desktop access solution has been downloaded by over 300 million people globally, according to the company’s website.
Although the cybersecurity firm was unable to pinpoint a single threat actor, it thought the illegal cyber activity was part of a larger operation affecting a wide spectrum of consumers.
The PowerShell script has all of the hallmarks of a typical backdoor, but it is during the intrusion route that the attack comes together and signals that it is more than just a routine data collection operation – the AnyDesk installer is distributed via malicious Google Ads placed by the threat actor and then sent to unsuspecting individuals who Google for AnyDesk.
When visitors click on the fake ad, they are redirected to a social engineering page that is a clone of the official AnyDesk website, as well as a link to the trojanized installer.
According to the researchers, hackers paid around $1.75 per click.
According to CrowdStrike, 40% of clicks on the malicious ad resulted in the installation of the AnyDesk malware, with 20% of those installations included hands-on-keyboard action.
While it is unknown what percentage of Google searches for AnyDesk resulted in ad clicks, a 40% Trojan installation rate from an ad click shows that this is an extremely successful method of gaining remote access across a wide range of potential targets, according to security researchers.
The company also stated that it informed Google of its findings, and that Google took quick measures to remove the offending ad.
You might also like: Japanese government suffers a data breach after Fujitsu hack
You might also like: Cybercriminals use fake foundations to target Uyghur Minority
You might also like: Iranian hacking group Agrius launch data wiper malware