Overview:
A recent campaign has been seen using the official AnyDesk site to redirect users to a Dropbox folder that pushes them into installing the Vidar information–stealing malware.
Technical Summary:
In a recent campaign over 1,300 domains were used to impersonate the official AnyDesk website. The fake sites redirected users to a Dropbox folder that was recently seen pushing the Vidar information-stealing malware to their devices.
For clearance, AnyDesk is a popular desktop tool for Windows, Linux, and macOS. The application is used for users to remotely connect to devices or perform system administration. Due to the tool being very popular, it’s a prime target threat actors use to distribute malware.
SEKOIA threat analysts spotted the new ongoing AnyDesk campaign, they also warned users about this campaign on Twitter and shared lists of the malicious hostnames. The list of hostnames includes typosquats for various companies including AnyDesk, Afterburner, 7-ZIP, Blender, Dashlane Slack, OBS, MSI, and cryptocurrency trading apps.
All of the names end up redirecting users to the same AnyDesk fake website. Most of the malicious domains are still up, and others have been reported and taken offline. The sites were distributing a ZIP file named “AnyDeskDownload.zip” that pretended to be an installer file for the AnyDesk application but in reality, the users were not downloading the remote software and were actually installing the Vidar information-stealing malware.
The malware does a great job of masquerading itself from being detected. Instead of it hiding behind redirections, the recent version of Vidar uses the Dropbox hosting service which is trusted by anti-virus (AV) tools to deliver the payload.
Attack Tactics, Techniques & Procedures:
Reconnaissance (TA0043)
- Phishing for Information (T1598)
- Gather Victim Identity Information (T1589)
Impact (TA0040)
- Data Manipulation (T1565)
- Data Destruction (T1485)
Privilege Escalation (TA0004)
- Exploitation for Privilege Escalation (T1068)
- Valid Accounts (T1078)
Initial Access (TA0001)
- Valid Accounts (T1078)
- Phishing (T1566)
- Trusted Relationship (T1199)
- Exploitation of Public Facing Application (T1190)
Execution (TA0002)
- User Execution (T1204)
- Software Deployment Tools (T1072)
- Command & Scripting Interpreter (T1059)
Defense Evasion (TA0005)
- Masquerading (T1036)
Persistence (TA0003)
- Account Manipulation (T1998)
- Valid Accounts (T1078)
Credential Access (TA0006)
- Exploitation for Credential Access (T1212)
- Credentials from Password Stores (T1555)
Resource Development (TA0042)
- Compromise Accounts (T1586)
Exfiltration (TA0010)
- Exfiltration Over C2 Channel (T1041)
Collection (TA0009)
- Clipboard Data (T1115)
Affected Assets and Organizational Impact:
The users are tricked into downloading a malicious information-stealing malware known as Vidar. Vidar has been circulating since 2018, since its launch date there have been multiple campaigns impersonating software brands including 200 typosquatting domains being used. When the malware is installed it’s designed to steal victims’ browser history, account credentials, saved passwords, cryptocurrency wallet data, and banking information.
Mitigation and Response:
To prevent downloading the malicious info-stealer users are advised to bookmark websites they use for downloading software. Users should avoid clicking on promoted ads in Google search results and try to find the official URL of a software project. Over never download any software from a third-party site/vendor. It’s always recommended to download any software from the vendor’s official website.
Sincerely,
Dominic Alegrete
#CyberXE #CyberLeadersStartHere