A massive campaign using more than 1,300 domains to impersonate the official AnyDesk site is underway, all redirecting to a Dropbox folder recently pushing the Vidar information-stealing malware.
AnyDesk is a popular remote desktop application for Windows, Linux, and macOS, used by millions of people around the world for secure remote connectivity or to perform system administration.
Due to the tool’s popularity, malware distribution campaigns often misuse the AnyDesk brand. For example, in October 2022, Cyble reported that Mitsu Stealer operators were using a phishing site AnyDesk to push their new malware.
New Ongoing AnyDesk Campaign Spotted By Threat Analyst SEKOIA crep1xwho warned about it on Twitter and shared the full list of malicious hostnames. All of these hostnames resolve to the same IP address of 185.149.120[.]9.
The list of hostnames includes typosquats for AnyDesk, MSI Afterburner, 7-ZIP, Blender, Dashlane, Slack, VLC, OBS, cryptocurrency trading apps, and other popular software.
However, regardless of their name, they all lead to the same AnyDesk clone site, pictured below.
As of this writing, most domains are still online, while others have been flagged and taken offline by registrars or are blocked by AV tools. Even for sites that are up, their Dropbox links no longer work after the malicious file is reported to the cloud storage service.
However, since this campaign is all pointing to the same site, the threat actor can easily fix this issue by updating the download URL to another site.
All sites lead to Vidar Stealer
In the newly discovered campaign, the sites were distributing a ZIP file named “AnyDeskDownload.zip”. [VirusTotal] which claimed to be an installer for the AnyDesk software.
However, instead of installing the remote access software, it installs Vidar stealer, an information-stealing malware circulating since 2018.
Once installed, the malware will steal victims’ browser history, account credentials, saved passwords, cryptocurrency wallet data, banking information and other sensitive data. This data is then sent back to attackers, who could use it for further malicious activity or sell it to other threat actors.
Users usually end up on these sites after searching Google for pirated versions of software and games. They are then directed to 108 second-stage domains which redirect them to the final destination of 20 domains which deliver the malicious payloads.
Instead of hiding the malware payload behind redirects to evade detection and removal, the recent Vidar campaign used file hosting service Dropbox, trusted by AV tools, to deliver the payload.
BleepingComputer recently saw Vidar pushed by a campaign relying on over 200 typosquatting domains that impersonated 27 software brands.
A few days ago, SEKOIA published a report revealing another massive distribution campaign of information thieves using 128 websites that promote pirated software.
It is not clear if all these malware campaigns are related to fake AnyDesk sites.
Users are advised to bookmark the sites they use to download software, avoid clicking on promoted results (ads) in Google search, and find the official URL of a software project from from their Wikipedia page, documentation, or your operating system’s package manager.