Anydesk spoofing campaign using Vidar Info-Stealer
THREAT SUMMARY
A huge campaign using 1,300 domains to impersonate the official AnyDesk site is underway, all redirecting to a Dropbox folder recently pushing the Vidar information-stealing malware.
ABOUT THREAT
▪ Origin: 2018
▪ Threat Type: Info stealer
▪ Functionality: Vidar is a malware family that primarily acts as an information stealer and is frequently seen as a prelude to ransomware distribution. This malware takes data anddistributes it as spam email, cracked commercial software, and keygen programs
▪ Goals: Data Exfiltration, Information Theft
THREAT DETAILS
• More than 1,300 domains have been leveraged in an ongoing widespread AnyDesk impersonation campaign aimed at distributing the Vidar information-stealing malware
• AnyDesk is a popular remote desktop application for Windows, Linux, and macOS, used by millions of people worldwide for secure remote connectivity or performing system administration
• In October 2022, Cyble reported that the operators of Mitsu Stealer were using an AnyDesk phishing site to push their new malware
• The list of the hostnames includes typosquats for AnyDesk, MSI Afterburner, 7-ZIP, Blender, Dashlane, Slack, VLC, OBS, cryptocurrency trading apps, and other popular software lead to the same Anydesk clone site shown below.
• In the newly discovered campaign, the sites were distributing a ZIP file named AnyDeskDownload.zip’ that pretended to be an installer for the AnyDesk software
• When installed, the malware will steal victims’ browser history, account credentials saved passwords, cryptocurrency wallet data, banking information, and other sensitive data. This data is then sent back to the attackers, who could use it for further malicious activity or sell it to other threat actors
• Another campaign pushing Vidar via Google Ads abuse was spotted by Guardio Labs at the end of December 2022, also abusing the AnyDesk brand among others
INDICATORS OF COMPROMISE
▪ The IOCs are attached in the Excel sheet
MITRE ATTACK TECHNIQUES
| Tactics | ID | Techniques |
| Defense Evasion | T1036 | Masquerading |
| Credential Access | T1003 | OS Credential Dumping |
| Collection | T1113 | Screen Capture |
| Command and Control | T1105/T1219 | Ingress Tool Transfer/Remote Access Software |
RECOMMENDATIONS
▪ Block all the mentioned IOCs in their respective technologies.
▪ Users are advised to bookmark the sites they use for downloading software, avoid clicking on promoted results (ads) in Google Search, and find the official URL of a software project from their Wikipedia page, documentation, or your OS’s package manager
▪ The best way to protect against such attacks is to be extra careful when downloading software and making sure the apps are only obtained from verified sources. Navigating to the AnyDesk website (as opposed to clicking a supposed AnyDesk link in an email or a social media post) is a good place to start
▪ Kindly review your proxy rules which will provide better prevention against categories like Malware, Suspicious , Uncategorized etc