Malicious actors have used more than 1,300 malicious domains in a recently identified campaign that impersonated the official AnyDesk website. The victims of this massive campaign are redirected to a Dropbox folder that pushes the Vidar infostealer into their devices.
The security researcher who discovered this campaign first warned people through Twitter and shared a list of all the malicious domains that hosted the fake AnyDesk sites. A single IP address (185.149.120[.]9) suspiciously runs the hostnames.
Aside from AnyDesk, many other popular software tools were also impersonated in the campaign spreading the Vidar infostealer.
From observing the released list of hostnames, many are typo-squatted domains for popular software tools besides AnyDesk, including MSI Afterburner, Blender, Slack, Dashlane, VLC, 7-Zip, and cryptocurrency trading apps, among others.
Oddly, these hostnames direct visitors to the same fake AnyDesk website regardless of name.
Some of the domains on the list have been taken down already. While it could be good news, experts say that since the campaign is directed to a single AnyDesk fake site, its operators could easily fix the broken malicious domain by updating the download link to another site.
Upon assessing the malicious sites in the campaign, the victims are tricked into downloading a ZIP file titled ‘AnyDeskDownload[.]zip,’ which contains the Vidar infostealer.
This malware is known for stealing critical data from the victims’ infected machines, including browser history, saved passwords, login information, cryptocurrency wallet funds, and banking information. Once all the data is collected, it will be sent to an attacker-controlled remote server, which will then be used for further malicious activities or sold to other cybercriminals.
In most cases, users are directed to malicious websites when they search for duplicates or pirated versions of popular software tools online, such as AnyDesk. Threat actors take advantage of this demand for pirated software versions to spread malware on computers and steal data.
Thus, security experts strongly advise users to refrain from downloading pirated software or app versions online and purchase legitimate ones on official websites. Also, users must not click on promoted advertisements on search engines since malicious actors may be controlling them to spread malware.