Cybersecurity researchers on Wednesday publicized the disruption of a “intelligent” malvertising community focusing on AnyDesk that delivered a weaponized installer of the distant desktop software program through rogue Google adverts that appeared within the search engine outcomes pages.
The marketing campaign, which is believed to have begun as early as April 21, 2021, includes a malicious file that masquerades as a setup executable for AnyDesk (AnyDeskSetup.exe), which, upon execution, downloads a PowerShell implant to amass and exfiltrate system data.
“The script had some obfuscation and a number of features that resembled an implant in addition to a hardcoded area (zoomstatistic[.]com) to ‘POST’ reconnaissance data comparable to consumer identify, hostname, working system, IP handle and the present course of identify,” researchers from Crowdstrike said in an evaluation.
AnyDesk’s distant desktop entry answer has been downloaded by greater than 300 million customers worldwide, based on the corporate’s web site. Though the cybersecurity agency didn’t attribute the cyber exercise to a selected menace actor or nexus, it suspected it to be a “widespread marketing campaign affecting a variety of shoppers” given the massive consumer base.
The PowerShell script could have all of the hallmarks of a typical backdoor, however it’s the intrusion route the place the assault throws a curve, signaling that it is past a garden-variety knowledge gathering operation — the AnyDesk installer is distributed by malicious Google adverts positioned by the menace actor, that are then served to unsuspecting people who find themselves utilizing Google to seek for ‘AnyDesk.’
The fraudulent advert end result, when clicked, redirects customers to a social engineering web page that is a clone of the professional AnyDesk web site, along with offering the person with a hyperlink to the trojanized installer.
CrowdStrike estimates that 40% of clicks on the malicious advert changed into installations of the AnyDesk binary, and 20% of these installations included follow-on hands-on-keyboard exercise. “Whereas it’s unknown what share of Google searches for AnyDesk resulted in clicks on the advert, a 40% Trojan set up fee from an advert click on reveals that that is an especially profitable methodology of gaining distant entry throughout a variety of potential targets,” the researchers mentioned.
The corporate additionally mentioned it notified Google of its findings, which is alleged to have taken rapid motion to drag the advert in query.
“This malicious use of Google Adverts is an efficient and intelligent solution to get mass deployment of shells, because it offers the menace actor with the flexibility to freely decide and select their goal(s) of curiosity,” the researchers concluded.
“Due to the character of the Google promoting platform, it may possibly present a very good estimate of how many individuals will click on on the advert. From that, the menace actor can adequately plan and price range based mostly on this data. Along with focusing on instruments like AnyDesk or different administrative instruments, the menace actor can goal privileged/administrative customers in a singular manner.”