Table of Contents
June 3, 2021
|4m
How Attackers Abused Google Search to Distribute Trojanized AnyDesk Installer?
Malware |
This time threat actors have seen utilizing a well-known Google Ads platform to distribute trojanized AnyDesk installer widely on the internet. The idea behind using Google Ads is to target more number of victims in a short amount of time.Research reveals that this malvertising campaign is believed to have begun as early as April 21, 2021. In this campaign, attackers have used a trojanized AnyDesk installer which masquerades as a setup executable for AnyDesk (AnyDeskSetup.exe), which, upon execution, downloads a PowerShell implant and exfiltrate system information from the victims.
Introducing AnyDesk
AnyDesk is a remote desktop application created by AnyDesk Software GmbH. The proprietary software program provides platform independent remote access to personal computers. It offers remote control, file transfer, and VPN functionality.Some main features include:
Remote access for multiple platforms (Windows, Linux, macOS, iOS, Android, etc.)
Remote Print
Unattended access
Whiteboard
Auto-Discovery (automatic analysis of local network)
Chat-Function
Custom-Clients
Session protocol
Individual host-server
How Threat Actors Used Google Adds to Distributed Trojanized AnyDesk Installer?
The attack begins when the user clicks on the Google Ads, which servers trojanized AnyDesk installer and download the executable.
Upon the execution of the trojanized AnyDesk installer, it downloads a PowerShell script.
The PowerShell script then reassembles an implant and constructs a ‘POST’ request to send the gathered information to a domain (zoomstatistic[.]com). The implant is able to gather information such as user name, hostname, operating system, IP address, and the current process name.
Targets of AnyDesk Malvertising Campaign
It has been estimated that during the time of this campaign, approximately 300 million users have downloaded this trojanized AnyDesk installer from the malicious site. Researchers were unable to figure out the specific geo regain and set of audions targeted to this campaign. The attack was targeted at a wide range of customers. At this point in time, we also don’t know the organizer or author of this cyber attack.It’s estimated that approximately around 40% of the clicks on the malicious ad turned into installations. Well, it is unknown that what percentage of Google searches for AnyDesk turned into clicks. A 40% installation rate from an ad click shows that this is an extremely successful method to compromise a wide range of potential targets. This attack has proved that Google Ads is an effective way to deliver malware to any set of targets as Google Ads provides the ability to freely choose their target of interest.
Indicators of Compromise of Trojanized AnyDesk Installer
IP Address:
176.111.174[.]126
176.111.174[.]125
Domains:
Domohop[.]com
Anydesk.s3-us-west-1.amazonaws[.]com
zoomstatistic[.]com
anydeskstat[.]com
Turismoelsalto[.]cl
Rockministry[.]org
curaduria3[.]com
User-Agents:
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100111 Firefox/78.0
Hashes:
357e165be7a54e49f04cccc6d79678364394e33f10a6b3b73705823f549894b5
5fe992b5a823b6200a1babe28db109a3aae1639f0a8b5248403ee1266088eac4
0c1ec49bf46f000e8310ec04ff9f5a820cbb18524acf8e39482ae3ffca14fb59
780a02755873350ceef387fd9ea8c9614d847d5ba7ae3f89d32777b6ec7ee601
How to Detect and Remove This New Trojanized AnyDesk Installer?
Follow these recommendations to reduce the impact of this threat:
Block the IOCs on your Proxies, EDR Tools, Microsoft O365, and Firewalls.
Check Firewall and Internet proxy logs for the given IOCs.
If you find any machine tried communication with the given IOCs, immediately isolate it and check for these things.
Check for unusual accounts created, especially in the administrator’s group
Check for unusual big files on the storage, bigger than five GB
Check for any unusual files added recently in system folders
Check for files using the “hidden” attribute Property
Check for unusual programs launched at boot time in the windows registry
Check all running processes for unusual/unknown entries, especially processes with username “system” and “administrator.”
Check user’s autostart folders
Check for unusual/unexpected network services installed and started
Check for unusual network activity
Check at the opened sessions on the machine
Check for unusual automated tasks
Check for unusual log entries
Check for any rootkit
Run an anti-virus product on the whole disk to check for any malware
If you find this interesting, please visit our site and read more such interesting posts.
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
- April 18, 2024
Learn Something New with Free Email subscription
Learn Something New with Free Email subscription
Subscribe
Subscribe
Subscribe
Subscribe
- April 18, 2024
