According to the CrowdStrike Falcon Complete team, the malvertising campaign incorporates a malicious file that masquerades as setup executable for AnyDesk with “AnyDeskSetup.exe” format, and upon execution, it downloads a PowerShell implant that exfiltrate system data.
Interestingly, the rather clever malvertising campaign with a weaponized AnyDesk installer was being delivered via Google ad, with targeted searches for the “anydesk” keyword.
How Falcon Complete detected the Malvertising Campaign targeting AnyDesk?
The CrowdStrike Falcon platform detected an executable which appeared to have been manipulated to evade detection and attempts to launch a PowerShell script with the following command line: "C:\Intel\rexc.exe" -exec bypass \Intel\g.ps1" during a review of the process tree.
However, the “rexc.exe” extension appeared to be a renamed PowerShell binary in an attempt to bypass detection. And on further reviewing, “AnydeskSetup.exe” was discovered running from the user’s Downloads directory.
The script has multiple functions that resembled an implant as well as hardcoded domain (zoomstatistic[.]com) to “POST” reconnaissance information like user name, hostname, operating system, IP address and the current process name. And the script also had a specific user-agent string and URI to connect.
How the Threat actors utilized malicious Google ads (Malvertising)?
The threat actor served this malicious ads to people using Google search, with the “AnyDesk” keyword since at least April 21, 2021. The malvertising campaign uses intermediary websites that then redirect to a page hosted at the following URL: https[:]//domohop[.]com/anydesk-download/ which a clone of the legitimate AnyDesk website.
The researchers observed that the ads may have been targeted at specific geographic regions, such as the ad not being consistently delivered depending on the region where the search request originated.
CrowdStrike’s data suggests that 40% of clicks on this malicious ad resulted to installations of this trojanized AnyDesk binary, while 20% of installations included hands-on-keyboard activity.
However, it remains unknown what percentage of searches for AnyDesk resulted in clicks, albeit 40% Trojanized app installation rate from an ad click shows that this is a successful method of gaining a wide range of potential targets.