How Attackers Abused Google Search To Distribute Trojanized AnyDesk Installer?

This time threat actors have seen utilizing a well-known Google Ads platform to distribute trojanized AnyDesk installer widely on the internet. The idea behind using Google Ads is to target more number of victims in a short amount of time.
Research reveals that this malvertising campaign is believed to have begun as early as April 21, 2021. In this campaign, attackers have used a trojanized AnyDesk installer which masquerades as a setup executable for AnyDesk (AnyDeskSetup.exe), which, upon execution, downloads a PowerShell implant and exfiltrate system information from the victims.

Introducing AnyDesk

AnyDesk is a remote desktop application created by AnyDesk Software GmbH. The proprietary software program provides platform independent remote access to personal computers. It offers remote control, file transfer, and VPN functionality.
Some main features include:

• Remote access for multiple platforms (Windows, Linux, macOS, iOS, Android, etc.)
• File transfer and manager
• Remote Print
• VPN
• Unattended access
• Whiteboard
• Auto-Discovery (automatic analysis of local network)
• Chat-Function
• REST-API
• Custom-Clients
• Session protocol
• Two-Factor-Authentication
• Individual host-server

How Threat Actors Used Google Adds To Distributed Trojanized AnyDesk Installer?

1. The attack begins when the user clicks on the Google Ads, which servers trojanized AnyDesk installer and download the executable.
2. Upon the execution of the trojanized AnyDesk installer, it downloads a PowerShell script.
3. The PowerShell script then reassembles an implant and constructs a ‘POST’ request to send the gathered information to a domain (zoomstatistic[.]com). The implant is able to gather information such as user name, hostname, operating system, IP address, and the current process name.

Targets Of AnyDesk Malvertising Campaign

It has been estimated that during the time of this campaign, approximately 300 million users have downloaded this trojanized AnyDesk installer from the malicious site. Researchers were unable to figure out the specific geo regain and set of audions targeted to this campaign. The attack was targeted at a wide range of customers. At this point in time, we also don’t know the organizer or author of this cyber attack.
It’s estimated that approximately around 40% of the clicks on the malicious ad turned into installations. Well, it is unknown that what percentage of Google searches for AnyDesk turned into clicks. A 40% installation rate from an ad click shows that this is an extremely successful method to compromise a wide range of potential targets. This attack has proved that Google Ads is an effective way to deliver malware to any set of targets as Google Ads provides the ability to freely choose their target of interest.

Indicators Of Compromise of Trojanized AnyDesk Installer

IP Address: 

• 176.111.174[.]126
• 176.111.174[.]125 

Domains: 

• Domohop[.]com
• Anydesk.s3-us-west-1.amazonaws[.]com
• zoomstatistic[.]com
• anydeskstat[.]com
• Turismoelsalto[.]cl
• Rockministry[.]org
• curaduria3[.]com

User-Agents:

• Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100111 Firefox/78.0

Hashes: 

• 357e165be7a54e49f04cccc6d79678364394e33f10a6b3b73705823f549894b5
• 5fe992b5a823b6200a1babe28db109a3aae1639f0a8b5248403ee1266088eac4
• 0c1ec49bf46f000e8310ec04ff9f5a820cbb18524acf8e39482ae3ffca14fb59
• 780a02755873350ceef387fd9ea8c9614d847d5ba7ae3f89d32777b6ec7ee601

How To Detect And Remove This New Trojanized AnyDesk Installer?

Follow these recommendations to reduce the impact of this threat:

1. Block the IOCs on your Proxies, EDR Tools, Microsoft O365, and Firewalls.
2. Check Firewall and Internet proxy logs for the given IOCs.
3. If you find any machine tried communication with the given IOCs, immediately isolate it and check for these things.
   1. Check for unusual accounts created, especially in the administrator’s group
   2. Check for unusual big files on the storage, bigger than five GB
   3. Check for any unusual files added recently in system folders
   4. Check for files using the “hidden” attribute Property
   5. Check for unusual programs launched at boot time in the windows registry
   6. Check all running processes for unusual/unknown entries, especially processes with username “system” and “administrator.”
   7. Check user’s autostart folders
   8. Check for unusual/unexpected network services installed and started
   9. Check for unusual network activity
   10. Check at the opened sessions on the machine
   11. Check for unusual automated tasks
   12. Check for unusual log entries
   13. Check for any rootkit
4. Run an anti-virus product on the whole disk to check for any malware

If you find this interesting, please visit our site and read more such interesting posts.

• 14 things to check when a system gets compromised
• 10 best online pen-testing platforms to practice your skills
• Five easiest ways to connect Raspberry Pi remotely in 2021:
• A New MSBuild Fileless Malware Campaign in which Threat Actors used MSBuild to Deliver RATs
• Microsoft has Uncovered New Email Attacks from Nobelium Threat Actor