Heads up, AnyDesk users! A huge phishing campaign involving over 1300 domains delivers Vidar info stealer by mimicking AnyDesk. Users should always ensure downloading AnyDesk, or any other software, from the official, legit websites to avoid such threats.
AnyDesk Phishing Campaign Pushes Vidar Info Stealer
The security researcher and threat analyst at SEKOIA.IO, having alias crep1x on Twitter, has recently shared details about an ongoing phishing campaign exploiting AnyDesk.
As described, the attackers behind this campaign have set up over 1300 domains that redirect users to a fake website mimicking AnyDesk’s site’s layout to trick users. In this way, the threat actors aim at delivering the Vidar info stealer to the potential victims.
Vidar is a potent data-stealing trojan that made it to the news in 2018. It usually reaches the target devices via malvertising and sneakily establishes itself on the device to steal sensitive information, mainly saved passwords.
To date, Vidar has been involved in numerous spam and phishing campaigns, targeting victims worldwide.
According to crep1x, he recently spotted over 1300 domains delivering Vidar by posing as fake AnyDesk installers. The attackers have stored the malware on a Dropbox link to which all domains redirect users. Also, all domains resolve to the same IP address.
1300+ domains are hosting a webpage that impersonates the official AnyDesk website.
All webpages redirect the user to the same Dropbox link, downloading #Vidar stealer (botnet 586).
All domains resolve the IP address 185.149.120[.]9
(a rather curious campaign!) pic.twitter.com/vqbw34USwx
— crep1x (@crep1x) January 8, 2023
To avoid suspicion, the attackers have also used typosquatted names for other popular software like Slack, TeamViewer, and VideoLAN. But all the domains link back to the same webpage that impersonates AnyDesk.
Typosquatting of various software is used for domain names, including 7zip, AnyDesk, Slack, TeamViewer, VideoLAN – but all domains display the AnyDesk website
The threat actor seems to reuse the domains of other campaigns. No idea how these webpages are distributing
Domains ⬇️
— crep1x (@crep1x) January 8, 2023
According to the responses shared on the researcher’s Twitter thread, some malicious domains are hosted on NameCheap. When alerted, NameCheap responded to “take care of it,” whereas the other domains hosted on DigitalOcean are yet to be removed.
This isn’t the first phishing campaign exploiting AnyDesk. In October 2022, Cybel researchers also reported a malicious campaign using AnyDesk phishing sites to spread Mitsu malware.
Let us know your thoughts in the comments.