After International Finance reported about the website named AnyDesk being impersonated in large numbers using more than 1,300 domains, the company responded to us stating that providing safe infrastructure to IT professionals is their top priority.
AnyDesk remarked, “Misusing our name to spread malware is unacceptable for AnyDesk. We are committed to doing everything in our power to help end fraud attempts. Our team is already actively taking countermeasures.”
“Millions of IT professionals worldwide depend on AnyDesk to securely connect to work computers and help with technical issues. Providing them with a safe infrastructure is our top priority,” it added further.
The impersonating domains are linking to a Dropbox folder that recently released the virus called ‘Vidar’ that steals information.
AnyDesk is used by millions of people across the globe. It is a well-liked remote desktop programme for Windows, Linux, and macOS, for safe remote connectivity or carrying out system administration.
AnyDesk is frequently misused in malware distribution because of the tool’s popularity. For instance, Cyble revealed in October 2022 that the developers of Mitsu Stealer were promoting their new malware through an AnyDesk phishing site.
The latest iteration of the AnyDesk was discovered by SEKOIA threat analyst crep1x, who tweeted a warning and provided the full list of the campaign’s malicious hostnames. These hostnames all lead to 185.149.120[.]9, the same IP address.
Typosquats for major programmes including AnyDesk, MSI Afterburner, 7-Zip, Blender, Dashlane, Slack, VLC, OBS, bitcoin trading apps, and other software are included in the list of hostnames. No matter the name, all of them point to the same AnyDesk clone website.
Most domains are still active, however, some have been reported and taken offline by registrars or are banned by antivirus software. After the malicious file was reported to the cloud storage service, even for the websites that are up, their Dropbox links are no longer functional. However, the malicious attacker can easily solve this by changing the download URL to another site.
It has been found out that the websites were disseminating a ZIP file with the name “AnyDeskDownload.zip” [VirusTotal] that claimed to be an AnyDesk software installer. But instead of AnyDesk zip files ‘Vidar stealer’, a malware that has been around since 2018 has been getting installed.
Once activated, the malware will take the victims’ browsing history, login information, previously-saved passwords, cryptocurrency wallet data, banking details, and other private information. This information may be used for other nefarious purposes or sold to other malicious attackers.
In one such recent incident, a man from India lost Rs 5 lakh while attempting to fix his TV display. He reportedly downloaded the AnyDesk app on his phone and within seconds his bank account was robbed of Rs 5 lakh.