Over 1,300 Domains Used to Deliver Notorious Information Stealer Malware

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing

The official AnyDesk website is being impersonated using more than 1,300 domains, all of which are linking to a Dropbox folder that delivers the malware that steals information, Vidar.

AnyDesk is a remote desktop program that provides file transfer, remote access to other computers, and other features.

Cyble revealed in October 2022 that the operators of Mitsu Stealer were pushing their new malware through an AnyDesk phishing site.

The recent AnyDesk campaign was discovered by SEKOIA threat analyst crep1x, who tweeted a warning and provided the full list of the campaign’s malicious hostnames. These hostnames all lead to 185.149.120[.]9, the same IP address.

The list of the hostnames includes typosquats for AnyDesk, MSI Afterburner, 7-ZIP, Blender, Dashlane, Slack, VLC, OBS, cryptocurrency trading apps, and other popular software.

The Vidar distribution uses a fake AnyDesk website

Reports stated that most domains are still active, however, some have been reported and taken offline by registrars or are banned by antivirus software.

Also, the threat actor can easily solve this by changing the download URL to another site, but since every element of this campaign points to the same website.

Vidar Info-Stealing Malware

Researchers say the websites were spreading a ZIP file with the name “AnyDeskDownload.zip” [VirusTotal] that claimed to be an AnyDesk software installer.

However, Vidar stealer, a malware that has been around since 2018, is installed in place of the remote access software.

Notably, the malware will take the victims’ browsing history, login information, previously-saved passwords, cryptocurrency wallet data, banking details, and other private information.

After being provided back to the attackers, this information may be used for other nefarious purposes or sold to other threat actors.

The most recent Vidar campaign delivered the malware payload via the Dropbox file hosting service, which is trusted by AV tools, rather than hiding it behind redirections to avoid detection and takedowns.

Hence, users should avoid clicking on sponsored ads in Google Search, bookmark the websites they visit to download software and obtain the official URL of a software project from its Wikipedia page, documentation, or your OS’s package manager.

Network Security Checklist – Download Free E-Book