Attackers pushed a fake version of AnyDesk desktop app through Google ads and search results that served up a trojan-infested program.
The campaign, which began on April 22, is notable for its ability to avoid Google’s anti-malvertising measures. According to researchers with Crowdstrike, who have been tracking the campaign, 40 percent of the people who clicked on the ad started the installation of the malware. While twenty percent of the installations included “follow-on hands-on-keyboard activity” by criminals, according to a report published Wednesday.
The researchers said the malware tricked victims into downloading a binary called AnyDeskSetup.exe that launched a PowerShell script.
A suspicious file, which was disguised as AnyDesk, was discovered by researchers. It was later revealed that the app was bogus and weaponized for additional malicious capabilities. The executable was signed by “Digital IT Consultants Plus Inc”, and not the legitimate creators “philandro Software GmbH”.
A PowerShell implant was coded to hide once executed with a command line switch:
“Upon execution, a PowerShell implant was written to %TEMP/v.ps1 and executed with a command line switch of “-W 1″ to hide the PowerShell window.”
The logic behind the attack is similar to those described by Inde researchers, who discovered a similar method in which “Zoom installer dropped a similar PowerShell script from an external resource,” researchers wrote.
According to a study conducted by security firm F-Secure, 40 percent of all Google searches for AnyDesk led to a Trojan infection:
“While it is unknown what percentage of Google searches for AnyDesk resulted in clicks on the ad, a 40 percent Trojan installation rate from an ad click shows that this is an extremely successful method of gaining remote access across a wide range of potential targets.”
Crowdstrike alerted Google about the ad abuse, which affected thousands of customers. The company immediately took action.
“It appears that Google expeditiously took appropriate action, because at the time of this blog, the ad was no longer being served,” the report noted.
Joseph Neumann, a cyber expert at Coalfire, said that Google should take more responsibility when it pertains to the security of its ad network.
Google works with a variety of tools to prevent abusive ads. These include a combination of humans and machines. “Google’s proprietary technology and malware detection tools are used to regularly scan all creatives,” the company says.
Despite efforts by Google and other ad platforms to mitigate malvertising, some experts believe that more needs to be done.