Digital advertising is one of the fastest-growing media. The entire world is hooked to cell phones and hence digital ads are often found on social media and through Google AdWords/keywords. Owing to its growing popularity, adversaries use it as a solid platform to push their attacks on web users. Recently, security experts uncovered a sophisticated malvertising campaign (malware advertising) distributing the weaponized AnyDesk installer via targeted Google ad searches for the keyword “anydesk.” According to a security investigation from CrowdStrike Falcon Complete team, cybercriminals are spreading a malicious file “AnyDeskSetup.exe” masquerading as a legitimate AnyDesk Remote Desktop application.
AnyDesk is a remote desktop application that provides independent remote access, file transfer, and VPN functionality to computer systems and other devices running the host application.
“Falcon captured AnydeskSetup.exe running from the user’s Downloads directory. A quick review of the file and the behavior observed from its execution revealed that this was not a normal AnyDesk installer,” CrowdStrike said.
How does Malvertising work?
In malvertising, malware code or script is spread via legitimate-looking ads on websites. Malware authors purchase ad space on popular websites to run their malware-infused ads on their web pages. With malicious codes hidden inside these ads, they often redirect the users to fraudulent websites or install malware on their devices.
CrowdStrike researchers stated the malicious executable file appeared to have been manipulated to evade detection and automatically installs a PowerShell script with the command line: C:\Intel\rexc.exe” -exec bypass \Intel\g.ps1. They also detected a “rexc.exe” executable file that appeared to be a renamed PowerShell binary to bypass and avoid detections.
The AnyDesk Malvertising Campaign
Attackers created specially crafted malicious Google ads to target users using Google to search for AnyDesk. The malvertising campaign, which is active since April 21, 2021, leveraged intermediary sites that redirect the users to a social engineering page hosted at the URL: https[:]//domohop[.]com/anydesk-download/, which auto-downloads the trojanized installer from the link: https://anydesk.s3-us-west-1.amazonaws[.]com/AnydeskSetup.exe.
CrowdStrike found that threat actors could have spent over $3,500 to get some 2,000 clicks for the single keyword – “anydesk.”
Indicators of Compromise
IP Address:
176.111.174.126
176.111.174.125
Domains:
Domohop.com
Anydesk.s3-us-west-1.amazonaws.com
Zoomstatistic.com
Anydeskstat.com
Turismoelsalto.cl
Rockministry.org
curaduria3.com
“CrowdStrike’s internal available data suggests that 40% of clicks on this malicious ad turned into installations of this trojanized AnyDesk binary, and 20% of installations included follow-on hands-on-keyboard activity. While it is unknown what percentage of Google searches for AnyDesk resulted in clicks on the ad, a 40% Trojan installation rate from an ad click shows that this is an extremely successful method of gaining remote access across a wide range of potential targets,” CrowdStrike added.