Threat Watch

Over 1,300 Fake AnyDesk Sites Push Vidar Info-Stealing Malware

A massive campaign using over 1,300 domains to impersonate the official AnyDesk site is underway, all redirecting to a Dropbox folder recently pushing the Vidar information-stealing malware. AnyDesk is a popular remote desktop application for Windows, Linux, and macOS, used by millions of people worldwide for secure remote connectivity or performing system administration. Due to the tool’s popularity, malware distribution campaigns often abuse the AnyDesk brand. For example, in October 2022, Cyble reported that the operators of Mitsu Stealer were using an AnyDesk phishing site to push their new malware. The new ongoing AnyDesk campaign was spotted by SEKOIA threat analyst crep1x, who warned about it on Twitter and shared the complete list of the malicious hostnames. All these hostnames resolve to the same IP address of 185.149.120[.]9. The list of the hostnames includes typo squats for AnyDesk, MSI Afterburner, 7-ZIP, Blender, Dashlane, Slack, VLC, OBS, cryptocurrency trading apps, and other popular software. At the time of writing this, most domains are still online, while others have been reported and taken offline by the registrars or are blocked by AV tools. Even for the sites that are up, their Dropbox links no longer work after the malicious file was reported to the cloud storage service. However, as this campaign all points to the same site, the threat actor can easily fix this by updating the download URL to another site. In the newly discovered campaign, the sites were distributing a ZIP file named ‘AnyDeskDownload.zip’ that pretended to be an installer for the AnyDesk software. However, instead of installing the remote access software, it installs Vidar stealer, an information-stealing malware circulating since 2018. When installed, the malware will steal victims’ browser history, account credentials, saved passwords, cryptocurrency wallet data, banking information, and other sensitive data. This data is then sent back to the attackers, who could use it for further malicious activity or sell it to other threat actors. Instead of hiding the malware payload behind redirections to evade detection and takedowns, the recent Vidar campaign used the Dropbox file hosting service, which is trusted by AV tools, to deliver the payload. Reporters have recently seen Vidar being pushed by a campaign relying on over 200 typo squatting domains that impersonated 27 software brands.

ANALYST NOTES

Users are advised to bookmark official sites used for downloading software, avoid clicking on promoted results (ads) in Google Search, and find the official URL of a software project from their official website, documentation, or your OS’s package manager.

https://www.bleepingcomputer.com/news/security/over-1-300-fake-anydesk-sites-push-vidar-info-stealing-malware/