The official AnyDesk website is being impersonated in a large campaign that employs more than 1,300 domains, all linking to a Dropbox folder that just released the information-stealing malware – Vidar. Millions of users use AnyDesk, a well-liked remote desktop program for Windows, Linux, and macOS, for safe remote connectivity or carrying out system administration.
Due to the tool’s popularity, the AnyDesk brand is frequently misused in malware distribution attempts. For instance, Cyble revealed in October 2022 that the developers of Mitsu Stealer were promoting their new malware using an AnyDesk phishing site. The latest iteration of the AnyDesk campaign was discovered by SEKOIA threat analyst crep1x, who tweeted a warning and provided the complete list of the campaign’s malicious hostnames. These hostnames lead to 185.149.120[.]9, the same IP address.
Typosquats for major programs, including AnyDesk, MSI Afterburner, 7-Zip, Blender, Dashlane, Slack, VLC, OBS, cryptocurrency trading applications, and other software, are included in the list of hostnames. Nevertheless, they all link to the identical AnyDesk clone site, irrespective of the names. Most domains are still active. However, others have been reported and taken offline by registrars or are banned by antivirus. After the malicious file was reported to the cloud storage service, even for the online websites, their Dropbox links are no longer functional. The threat actor may solve this by changing the download URL to another site because every element of this campaign points to the same website.
In the recently identified effort, the websites were disseminating a ZIP file with the name “AnyDeskDownload.zip” [VirusTotal] that claimed to be an AnyDesk software installer. However, Vidar stealer, a malware that has been around since 2018, is installed in place of the remote access program.
Once activated, the malware will take the victims’ browsing history, login information, previously-saved passwords, cryptocurrency wallet data, banking details, and other private information. After being provided back to the attackers, this information may be used for other nefarious purposes or sold to other threat actors. Most users find these websites after looking out for pirated software and video games on Google. They are then directed to 108 second-stage domains, which reroute them to the final 20 domains, where the malicious payloads are delivered.
The most recent Vidar campaign delivered the malware payload via the Dropbox file hosting service, which is trusted by AV scanners, rather than concealing it behind redirections to avoid detection and takedowns. Recently, a campaign using more than 200 typosquatting websites that impersonated 27 software businesses was observed pushing Vidar. SEKOIA released a report a few days ago that detailed yet another significant info-stealer distribution scheme that included 128 websites to advertise cracked software.
It’s unclear whether each malware campaign is connected to the phony AnyDesk websites. Users should avoid clicking on sponsored results (ads) in Google Search, bookmark the websites they visit to download software and obtain the official URL of a software project from its Wikipedia page, documentation, or your OS’s package manager.