A fake version of the popular remotimg app AnyDesk, pushed via ads appearing in Google search results, served up a trojanized version of the program. The campaign even bested AnyDesk’s own ad campaign on Google ranking higher in its paid results.
Researchers with Crowdstrike estimate, 40 percent of those that clicked on the ad began the installation of the malware. 20 percent of those installations included “follow-on hands-on-keyboard activity” by criminals of the victim’s system.
Victims who downloaded the program were conned into executing a binary called AnyDeskSetup.exe. Once executed, the malware attempted to launch a PowerShell script. Suspicious file masqueraded as AnyDesk exe is weaponized with malwares
The file bogus executable was signed by “Digital IT Consultants Plus Inc”, instead of the legitimate creators “philandro Software GmbH”.
“Upon execution, a PowerShell implant was written to %TEMP/v.ps1 and executed with a command line switch of “-W 1″ to hide the PowerShell window.”
Companies such as Google need to develop better screening measures for legitimate organizations versus cybercriminals.
Google actively works with trusted advertisers and partners to help prevent malware in ads. Despite Google’s efforts to mitigate malvertising on its ad network, some experts believe advertising behemoth and others need to go further.
SolarWinds is being called out for a breach of its platform, it may be time to apply the same governance to other platforms, such as advertising, when attackers work around the system to violate end users.