Targeted AnyDesk Ads on Google Served Up Weaponized App – Threatpost

Newsletter
Join thousands of people who receive the latest breaking cybersecurity news every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
Share this article:
Malicious ad campaign was able to rank higher in searches than legitimate AnyDesk ads.
A fake version of the popular remote desktop application AnyDesk, pushed via ads appearing in Google search results, served up a trojanized version of the program. The campaign even bested AnyDesk’s own ad campaign on Google – ranking higher in its paid results.
The campaign, active since April 22, is notable because the criminals behind the malicious ad managed to avoid Google’s anti-malvertising screening policing. As a result, researchers with Crowdstrike estimate, 40 percent of those that clicked on the ad began the installation of the malware. Twenty percent of those installations included “follow-on hands-on-keyboard activity” by criminals of the victim’s system, according a report on the incident published Wednesday.
Researchers said victims who downloaded the program were conned into executing a binary called AnyDeskSetup.exe. Once executed, the malware attempted to launch a PowerShell script.
Researchers explained they first, “observed a suspicious file masquerading as AnyDesk… However, this was not the legitimate AnyDesk Remote Desktop application — rather, it had been weaponized with additional capabilities.”
The file bogus executable was signed by “Digital IT Consultants Plus Inc”, instead of the legitimate creators “philandro Software GmbH”.
“Upon execution, a PowerShell implant was written to %TEMP/v.ps1 and executed with a command line switch of “-W 1″ to hide the PowerShell window.” Researchers noted the PowerShell used by criminals is similar to a script delivered by hacker’s behind a malicious a Zoom installer found in April.
“The logic we observed is very similar to logic observed and published by Inde, where a masqueraded Zoom installer dropped a similar PowerShell script from an external resource,” researchers wrote.
Researchers estimate attackers spent about $1.75 per click.
“While it is unknown what percentage of Google searches for AnyDesk resulted in clicks on the ad, a 40 percent Trojan installation rate from an ad click shows that this is an extremely successful method of gaining remote access across a wide range of potential targets.”
Crowdstrike notified affected customers and alerted Google of the ad abuse.
“It appears that Google expeditiously took appropriate action, because at the time of this blog, the ad was no longer being served,” the report noted.
Joseph Neumann, a cyber executive advisor at Coalfire, said Google needs to take more responsibility when it comes to policing its own ad network.
“Companies such as Google need to develop better screening measures for legitimate organizations versus cybercriminals,” Neumann told Threatpost. “This most likely will be counterproductive to their current business model.”
According to Google, it relies on a combination of humans and automated tools to block abusive ads. “Google actively works with trusted advertisers and partners to help prevent malware in ads,” it describes. “Google’s proprietary technology and malware detection tools are used to regularly scan all creatives.”
Despite Google’s efforts to mitigate malvertising on its ad network, some experts believe advertising behemoth and others need to go further.
Jennifer Geisler, chief marketing officer at Vectra AI, told Threatpost she thinks pressure will start to mount on these platforms to do more to block cybercriminals from using their tools.
“Just as SolarWinds is being called out for a breach of its platform, it may be time to apply the same governance to other platforms, such as advertising, when attackers work around the system to violate end users,” she said.
Join Threatpost for “A Walk On The Dark Side: A Pipeline Cyber Crisis Simulation”– a LIVE interactive demo on Wed, June 9 at 2:00 PM EDT. Sponsored by Immersive Labs, find out whether you have the tools and skills to prevent a Colonial Pipeline-style attack on your organization. Questions and LIVE audience participation encouraged. Join the discussion and Register HERE for free.
Share this article:
Record-breaking distributed denial of service attack targets Russia’s version of Google – Yandex.
The malware appeared in August with an ambitious roadmap (think ransomware, DDoS) that could make it ‘the most feature-rich Android malware on the market.’
With so many people still working from home, cybercriminals are trying to cash in. Cyberattacks have increased 300% and the risk of losing important data or being compromised is much greater at home.
Here are five recommendations for securing your home office.

This site uses Akismet to reduce spam. Learn how your comment data is processed.
Join thousands of people who receive the latest breaking cybersecurity news every day.
A just-patched, critical #RCE #vulnerability in the @Atlassian #Confluence server platform is suffering wide-scale… https://t.co/cfHbP8Cygr
1 day ago
Get the latest breaking news delivered daily to your inbox.
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.

source

You might also like

Leave a Reply

Your email address will not be published. Required fields are marked *