An extensive campaign is under way to use over 1,300 domains as impersonators of the AnyDesk website. All redirect to a Dropbox folder that recently pushed the Vidar malware information-stealing software.
AnyDesk, a widely used remote desktop app for Windows, Linux and macOS is used worldwide by millions for remote connection or system administration.
Malware distribution campaigns frequently abuse AnyDesk’s brand because of its popularity. in October 2022 that Mitsu Stealer’s operators were using AnyDesk to promote their malware.
SEKOIA threat analyst spotted the ongoing AnyDesk attack and warned of it via Twitter. He also shared the . These hostnames all resolve to the IP address 185.149.120 [. ]9.
This list includes hostnames that are typosquats of AnyDesk and MSI Afterburner as well as Blender, Dashlane or Slack.
However, no matter what the name may be, all of them lead to the exact same AnyDesk site clone, as shown below.
Most domains remain online at the time this article was written. Others have been taken down by the registrars, or blocked by antivirus tools. After the file infected was detected by the cloud storage provider, links to Dropbox no longer work for sites still up.
The threat actor could easily correct this problem by changing the URL of the downloaded files to another website, since they all point to the exact same site.
Vidar Stealer is accessible from all sites
In the newly discovered campaign, the sites were distributing a ZIP file named ‘AnyDeskDownload.zip’  that pretended to be an installer for the AnyDesk software.
Instead of installing remote access software it instead installs Vidar stealer which is an information-stealing Trojan that circulates since 2018.
The malware can steal the victim’s browser history, passwords and saved passwords. It also stores cryptocurrency wallet data and banking information. The attackers can then use this data for malicious activities or sell it to others.
These sites are often found by users who search Google for pirated software or games. The users are then redirected to 108 secondary domains, which redirects them to 20 malicious payload-delivering domains.
To avoid detection or takedowns, Vidar used Dropbox to upload the malware payload.
BleepingComputer recently saw Vidar being promoted by a campaign that relied on more than 200 typosquatting domains. .
SEKOIA released a report last week revealing yet another huge info-stealer distribution campaign to promote crack software.
The cause of all these malware attacks is not known.
It is advisable to bookmark websites used for downloading software. Avoid clicking on ads in Google Search and instead find the URL from the Wikipedia page, documentation or package manager of your OS.