Last Updated on May 30, 2021 by Calvin C.
Cybercriminals use malvertising to distribute malware and if you use AnyDesk installer, there is bad news for you. A trojanized AnyDesk installer was found in Google Ads and users who installed this fake version risk opening doors to hackers.
Before Google took action, the ads were displayed to anyone using the keyword “anydesk” on Google Search.
AnyDesk is a remote desktop application that gives a user remote access to another device that is running the same software.
This allows IT professionals to be able to solve issues on another user’s computer remotely.
COVID-19 lead to a rise in use of remote desktop applications and at the same time cybercriminals have also scaled up their operations.
In one article, I wrote about scammers who use the application to connect to victims and pretend to be from tech support.
You should understand that cybercriminals use various methods to attack victims.
One way is to use malware that steals information, compromises privacy and perform other malicious actions.
The fake AnyDesk software
In the case of malvertising, attackers ran an ad on Google Ads to promote a fake AnyDesk software with an AnyDeskSetup.exe installer file.
This file was weaponized as a trojan designed to take over control of the victim’s computer upon installation.
If you clicked on the ad, you were sent to a URL clone of AnyDesk where there was a download link of a trojan installer.
In addition, you had to go through intermediary sites in order to get to the download link.
CrowdStrike Falcon Complete researchers identified the following 3 intermediary sites:
The researchers spotted the malware in April 2021 after they noticed that the file was written to disk and exhibited suspicious activity.
You may wonder how the hackers managed to evade Google’s ad security checks.
To achieve this, the executable was manipulated to evade detection by attempting to launch a Powershell script renamed rexc.exe.
Further digging showed that once downloaded, AnyDeskSetup.exe ran from the user’s Downloads directory.
Other red flags that were apparent included the following:
- The file was signed by Digital IT Consultants Inc instead of philandro Software GmbH, the AnyDesk creators.
- Network activity generated by the application pointed to a domain: anydeskstat[.]com, registered on April 9, 2021 and hosted at a Russian IP address.
- Upon execution, a PowerShell implant was written to %TEMP/v.ps1 and executed with a command line switch of “W -1” to hide the PowerShell window.
This gave researchers confirmation of the the malicious nature of the file and confidence to perform further investigations.
“The logic we observed is very similar to logic observed and published by Inde, where a masqueraded Zoom installer dropped a similar PowerShell script from an external resource,” said researchers.
The hackers forked out $1.75 per click, showing that the operation was well orchestrated and an installation rate of at least 30-40% was a good day in office for the attackers.
“While it is unknown what percentage of Google searches for AnyDesk resulted in clicks on the ad, a 40% Trojan installation rate from an ad click shows that this is an extremely successful method of gaining remote access across a wide range of potential targets,” said researchers.
The malicious use of Google Ads to deploy malware is not a new tactic.
It gives hackers a chance to target specific geographical regions successfully.
Thanks to researchers at CrowdStrike Falcon Complete, the ad was taken down by Google as soon as a report was made.
This goes on to show how cybercriminals go to great lengths to mislead potential victims.
You can eliminate ads and at the same time hide your identity online by using a VPN.
- NordVPN has plenty of security features
- No logs policy
- No DNS leaks
- 68% off a 2-year plan
- 30-day money-back guarantee
Are you using any VPN? Leave comments below and share the article with your friends.