his time threat actors have seen utilizing a well-known Google Ads platform to distribute trojanized AnyDesk installer widely on the internet. The idea behind using Google Ads is to target more number of victims in a short amount of time.
Research reveals that this malvertising campaign is believed to have begun as early as April 21, 2021. In this campaign, attackers have used a trojanized AnyDesk installer which masquerades as a setup executable for AnyDesk (AnyDeskSetup.exe), which, upon execution, downloads a PowerShell implant and exfiltrate system information from the victims.
AnyDesk is a remote desktop application created by AnyDesk Software GmbH. The proprietary software program provides platform independent remote access to personal computers. It offers remote control, file transfer, and VPN functionality.
Some main features include:
- Remote access for multiple platforms (Windows, Linux, macOS, iOS, Android, etc.)
- File transfer and manager
- Remote Print
- Unattended access
- Auto-Discovery (automatic analysis of local network)
- Session protocol
- Individual host-server
How Threat Actors Used Google Adds to Distributed Trojanized AnyDesk Installer?
- The attack begins when the user clicks on the Google Ads, which servers trojanized AnyDesk installer and download the executable.
- Upon the execution of the trojanized AnyDesk installer, it downloads a PowerShell script.
- The PowerShell script then reassembles an implant and constructs a ‘POST’ request to send the gathered information to a domain (zoomstatistic[.]com). The implant is able to gather information such as user name, hostname, operating system, IP address, and the current process name.
Targets of AnyDesk Malvertising Campaign
It has been estimated that during the time of this campaign, approximately 300 million users have downloaded this trojanized AnyDesk installer from the malicious site. Researchers were unable to figure out the specific geo regain and set of audions targeted to this campaign. The attack was targeted at a wide range of customers. At this point in time, we also don’t know the organizer or author of this cyber attack.
It’s estimated that approximately around 40% of the clicks on the malicious ad turned into installations. Well, it is unknown that what percentage of Google searches for AnyDesk turned into clicks. A 40% installation rate from an ad click shows that this is an extremely successful method to compromise a wide range of potential targets. This attack has proved that Google Ads is an effective way to deliver malware to any set of targets as Google Ads provides the ability to freely choose their target of interest.
Indicators of Compromise of Trojanized AnyDesk Installer
- Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100111 Firefox/78.0
How to Detect and Remove This New Trojanized AnyDesk Installer?
Follow these recommendations to reduce the impact of this threat:
- Block the IOCs on your Proxies, EDR Tools, Microsoft O365, and Firewalls.
- Check Firewall and Internet proxy logs for the given IOCs.
- If you find any machine tried communication with the given IOCs, immediately isolate it and check for these things.
- Check for unusual accounts created, especially in the administrator’s group
- Check for unusual big files on the storage, bigger than five GB
- Check for any unusual files added recently in system folders
- Check for files using the “hidden” attribute Property
- Check for unusual programs launched at boot time in the windows registry
- Check all running processes for unusual/unknown entries, especially processes with username “system” and “administrator.”
- Check user’s autostart folders
- Check for unusual/unexpected network services installed and started
- Check for unusual network activity
- Check at the opened sessions on the machine
- Check for unusual automated tasks
- Check for unusual log entries
- Check for any rootkit
- Run an anti-virus product on the whole disk to check for any malware