New campaign from crooks seen spoofing the AnyDesk site to infect endpoints with Vidar stealer. More than 1,300 domains that impersonate the official AnyDesk site were redirected users to a Dropbox folder that pushes information-stealing malware.
Vidar is a data-stealing malware that looks for sensitive data such as account credentials, banking information, cryptocurrency wallet data, browser history, and saved passwords, which will be used in the later paer of the attack.
It’s general that cybercriminals try to exploit AnyDesk spoofing to distribute malware since the remote desktop app is so popular.
Researchers discovered that all the hostnames resolve to the 185.149.120[.]9. IP address and made the hostnames list public. After looking up pirated software and games on Google, users end up on these websites. Then they were sent to 108 second-stage domains, which redirected them to the final 20 domains, which contained the malicious payloads.
Malicious actors exploited the Dropbox file hosting service to distribute the malware payload rather than concealing it behind redirections to avoid detection and takedowns.
Threat actors used a ZIP file under the name of AnyDeskDownload.zip as a fake installer for AnyDesk software. While the victims clicked the fake sites and expected to install the remote desktop app, they were actually installing Vidar stealer instead.
Over 1300 counterfeit domains have been reported to the registrars and taken down. Their Dropbox links were discarded after being reported to the cloud storage service, but the threat actor could revive them by simply updating the download URL to a different sits