A massive campaign using over 1,300 domains to impersonate the official AnyDesk site is underway, all redirecting to a Dropbox folder recently pushing the Vidar information-stealing malware.
AnyDesk is a popular remote desktop application for Windows, Linux, and macOS, used by millions of people worldwide for secure remote connectivity or performing system administration.
Due to the tool’s popularity, malware distribution campaigns often abuse the AnyDesk brand. For example, in October 2022, Cyble reported that the operators of Mitsu Stealer were using an AnyDesk phishing site to push their new malware.
The new ongoing AnyDesk campaign was spotted by SEKOIA threat analyst crep1x, who warned about it on Twitter and shared the complete list of the malicious hostnames. All of these hostnames resolve to the same IP address of 185.149.120[.]9.
The list of the hostnames includes typosquats for AnyDesk, MSI Afterburner, 7-ZIP, Blender, Dashlane, Slack, VLC, OBS, cryptocurrency trading apps, and other popular software.
However, regardless of the name, they all lead to the same AnyDesk clone site, shown below.
At the time of writing this, most domains are still online, while others have been reported and taken offline by the registrars or are blocked by AV tools. Even for the sites that are up, their Dropbox links no longer work after the malicious file was reported to the cloud storage service.
However, as this campaign all point to the same site, the threat actor can easily fix this by updating the download URL to another site.
All sites lead to Vidar Stealer
In the newly discovered campaign, the sites were distributing a ZIP file named ‘AnyDeskDownload.zip’ [VirusTotal] that pretended to be an installer for the AnyDesk software.
However, instead of installing the remote access software, it installs Vidar stealer, an information-stealing malware circulating since 2018.
When installed, the malware will steal victims’ browser history, account credentials, saved passwords, cryptocurrency wallet data, banking information, and other sensitive data. This data is then sent back to the attackers, who could use it for further malicious activity or sell it to other threat actors.
Users typically end up on these sites after searching Google for pirated versions of software and games. They are then led to 108 second-stage domains that redirect them to the final destination of 20 domains that deliver the malicious payloads.
Instead of hiding the malware payload behind redirections to evade detection and takedowns, the recent Vidar campaign used the Dropbox file hosting service, which is trusted by AV tools, to deliver the payload.
BleepingComputer has recently seen Vidar being pushed by a campaign relying on over 200 typosquatting domains that impersonated 27 software brands.
A few days ago, SEKOIA published a report revealing another massive info-stealer distribution campaign using 128 websites that promote cracked software.
It is unclear if all of these malware campaigns are related to the fake AnyDesk sites.
Users are advised to bookmark the sites they use for downloading software, avoid clicking on promoted results (ads) in Google Search, and find the official URL of a software project from their Wikipedia page, documentation, or your OS’s package manager.