Cybersecurity researchers on Wednesday publicized the disruption of a “intelligent” malvertising community focusing on AnyDesk that delivered a weaponized installer of the distant desktop software program by way of rogue Google adverts that appeared within the search engine outcomes pages.
The marketing campaign, which is believed to have begun as early as April 21, 2021, entails a malicious file that masquerades as a setup executable for AnyDesk (AnyDeskSetup.exe), which, upon execution, downloads a PowerShell implant to amass and exfiltrate system info.
“The script had some obfuscation and a number of features that resembled an implant in addition to a hardcoded area (zoomstatistic[.]com) to ‘POST’ reconnaissance info equivalent to person title, hostname, working system, IP tackle and the present course of title,” researchers from Crowdstrike said in an evaluation.
AnyDesk’s distant desktop entry resolution has been downloaded by greater than 300 million customers worldwide, based on the corporate’s web site. Though the cybersecurity agency didn’t attribute the cyber exercise to a selected risk actor or nexus, it suspected it to be a “widespread marketing campaign affecting a variety of shoppers” given the big person base.
The PowerShell script could have all of the hallmarks of a typical backdoor, however it’s the intrusion route the place the assault throws a curve, signaling that it is past a garden-variety knowledge gathering operation — the AnyDesk installer is distributed by means of malicious Google adverts positioned by the risk actor, that are then served to unsuspecting people who find themselves utilizing Google to seek for ‘AnyDesk.’
The fraudulent advert outcome, when clicked, redirects customers to a social engineering web page that is a clone of the legit AnyDesk web site, along with offering the person with a hyperlink to the trojanized installer.
CrowdStrike estimates that 40% of clicks on the malicious advert become installations of the AnyDesk binary, and 20% of these installations included follow-on hands-on-keyboard exercise. “Whereas it’s unknown what proportion of Google searches for AnyDesk resulted in clicks on the advert, a 40% Trojan set up price from an advert click on exhibits that that is a particularly profitable technique of gaining distant entry throughout a variety of potential targets,” the researchers mentioned.
The corporate additionally mentioned it notified Google of its findings, which is alleged to have taken fast motion to drag the advert in query.
“This malicious use of Google Adverts is an efficient and intelligent method to get mass deployment of shells, because it offers the risk actor with the power to freely decide and select their goal(s) of curiosity,” the researchers concluded.
“Due to the character of the Google promoting platform, it may possibly present a very good estimate of how many individuals will click on on the advert. From that, the risk actor can adequately plan and finances based mostly on this info. Along with focusing on instruments like AnyDesk or different administrative instruments, the risk actor can goal privileged/administrative customers in a singular approach.”