“The logic we observed is very similar to logic observed and published by Inde, where a masqueraded Zoom installer dropped a similar PowerShell script from an external resource,” researchers wrote. “Upon execution, a PowerShell implant was written to %TEMP/v.ps1 and executed with a command line switch of “-W 1″ to hide the PowerShell window.” Researchers noted the PowerShell used by criminals is similar to a script delivered by hacker’s behind a malicious a Zoom installer found in April.
The file bogus executable was signed by “Digital IT Consultants Plus Inc”, instead of the legitimate creators “philandro Software GmbH”. Researchers explained they first, “observed a suspicious file masquerading as AnyDesk… However, this was not the legitimate AnyDesk Remote Desktop application - rather, it had been weaponized with additional capabilities.” Once executed, the malware attempted to launch a PowerShell script. Researchers said victims who downloaded the program were conned into executing a binary called AnyDeskSetup.exe.
Twenty percent of those installations included “follow-on hands-on-keyboard activity” by criminals of the victim’s system, according a report on the incident published Wednesday. As a result, researchers with Crowdstrike estimate, 40 percent of those that clicked on the ad began the installation of the malware. The campaign, active since April 22, is notable because the criminals behind the malicious ad managed to avoid Google’s anti- malvertising screening policing. The campaign even bested AnyDesk’s own ad campaign on Google – ranking higher in its paid results. The order, which describes how federal agencies and their contractors must strengthen security, mentions IT service providers 15 times.A fake version of the popular remote desktop application AnyDesk, pushed via ads appearing in Google search results, served up a trojanized version of the program. In the executive branch, President Biden issued a cybersecurity executive order in May 2021.
Given that they are not malicious in and of themselves, this tactic allows the threat actor greater ability to operate without detection. Threat actors prefer legitimate tools that are either built in, company approved, or installed by the threat actor. We commonly refer to these TTPs as “living off the land.” Threat actors have long used legitimate tools as part of their attacks. But other tools are also known to be used. Conti, in some cases, prefer to leverage Atera in their attack process to streamline their attack process. “There is no evidence, threat intelligence, or indication of Atera being directly compromised.