The website named AnyDesk is being impersonated in large numbers using more than 1,300 domains, all of which are linking to a Dropbox folder that recently released the virus called ‘Vidar’ that steals information.
The website AnyDesk is used by millions of people across the globe. It is a well-liked remote desktop programme for Windows, Linux, and macOS, for safe remote connectivity or carrying out system administration.
The AnyDesk is frequently misused in malware distribution because of the tool’s popularity. For instance, Cyble revealed in October 2022 that the developers of Mitsu Stealer were promoting their new malware through an AnyDesk phishing site.
The latest iteration of the AnyDesk was discovered by SEKOIA threat analyst crep1x, who tweeted a warning and provided the full list of the campaign’s malicious hostnames. These hostnames all lead to 185.149.120[.]9, the same IP address.
Typosquats for major programmes including AnyDesk, MSI Afterburner, 7-Zip, Blender, Dashlane, Slack, VLC, OBS, bitcoin trading apps, and other software are included in the list of hostnames. No matter the name, all of them point to the same AnyDesk clone website.
Most domains are still active, however, some have been reported and taken offline by registrars or are banned by antivirus software. After the malicious file was reported to the cloud storage service, even for the websites that are up, their Dropbox links are no longer functional. However, the malicious attacker can easily solve this by changing the download URL to another site.
It has been found out that the websites were disseminating a ZIP file with the name “AnyDeskDownload.zip” [VirusTotal] that claimed to be an AnyDesk software installer. But instead of AnyDesk zip files ‘Vidar stealer’, a malware that has been around since 2018 has been getting installed.
Once activated, the malware will take the victims’ browsing history, login information, previously-saved passwords, cryptocurrency wallet data, banking details, and other private information. This information may be used for other nefarious purposes or sold to other malicious attackers.