“This malicious use of Google Ads is an effective and clever way to get mass deployment of shells, as it provides the threat actor with the ability to freely pick and choose their target(s) of interest,” the researchers concluded. This has taken immediate action to bring the advertisement in question. The AnyDesk company has also stated that it had notified Google of its findings. “While it is unknown what percentage of Google searches for AnyDesk resulted in clicks on the ad, a 40% Trojan installation rate from an ad click shows that this is an extremely successful method of gaining remote access across a wide range of potential targets,” the researchers said. Additionally, it provides the individual with a direct link to the trojanized installer.Ĭrowdstrike has estimated that 40% of the clicks done on the malicious malvertising campaign had turned into installations that included follow-on-hands-on-keyboard activity. When these individuals click on the fraudulent ad results, the users are redirected to a social engineering page, which is a clone of the legit AnyDesk website. These manipulated ads are then served to the unsuspected individuals who use Google’s search engine to search for AnyDesk. The AnyDesk installer is distributed via the malevolent Google Ads ( malvertising campaign ) that the threat actor cleverly places. But, it is just the intrusion route that is a little different, pointing out that it is beyond a variety of data accumulating operations. The PowerShell script might have all the properties of a typical backdoor. But, the company has suspected it to be a “widespread campaign affecting a wide range of customers”, depending on the large user base. However, the cybersecurity firm has not attributed the cyber activity to a particular threat actor or nexus. “The script had some obfuscation and multiple functions that resembled an implant as well as a hardcoded domain (zoomstatisticcom) to ‘POST’ reconnaissance information such as user name, hostname, operating system, IP address and the current process name,” researchers from Crowdstrike said in an analysis.Īs per the statistics of the remote access company’s website, the remote desktop access of AnyDesk has been constantly downloaded by more than a million dedicated users across the globe. As this setup gets executed, it downloads a PowerShell implant to assemble and exfiltrate the system information. It involves a malicious file that poses as an executable setup for AnyDesk (AnyDeskSetup.exe). The malvertising campaign is believed to have commenced as early as the 21st of April, 2021. It delivers a weaponized installer via the rogue Google ads that appeared in the search engine results pages (SERPs).
#ANYDESK HACKERS SOFTWARE#
The malicious advertising network targets the remote access software for the devices (PC, mobile and laptops).
On Wednesday, the cybersecurity researchers publicized the disruption of a clever malvertising campaign network that is currently targeting AnyDesk remote access.
0 kommentar(er)
