IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Fake AnyDesk Google ads deliver malware

Malware pushed through Google search results

Hackers are pushing a bogus version of a remote desktop app AnyDesk through search results on Google. The fake app contains a trojan that is part of a new campaign designed to control a victim's computer.

Researchers at CrowdStrike first spotted the malware last month. Researchers said the suspicious file masquerading as AnyDesk called "AnyDeskSetup.exe" was being written to disk and exhibiting suspicious behavior.

The executable wasn't a legitimate version but had been weaponized with additional capabilities. To evade detection by Google's advert security, the malware attempted to launch a PowerShell script that had been renamed rexc.exe to bypass detection.

Researchers reviewed the process and found "AnydeskSetup.exe'' running from the user's Downloads directory. They said this wasn't the normal version of the application, as it was signed by Digital IT Consultants Plus Inc. instead of AnyDesk creators, philandro Software GmbH. The network activity generated by the application was to a domain (anydeskstat[.]com) registered on April 9, 2021 and hosted at a Russian IP address.

When executed, a PowerShell implant was written to %TEMP/v.ps1 and executed with a command-line switch of "-W 1" to hide the PowerShell window. At this point, researchers launched a thorough investigation and found the PowerShell script the hackers used was similar to another piece of malware hiding as a Zoom installer in April.

Related Resource

Reduce management overhead by transforming VDI and app management

How to support a distributed workforce with VMware Horizon Control Plane

Reduce management overhead by transforming VDI and app management  - whitepaper from VMWareDownload now

"The logic we observed is very similar to logic observed and published by Inde, where a masqueraded Zoom installer dropped a similar PowerShell script from an external resource," said researchers.

The malvertising campaign itself sends victims to a URL clone of the legitimate AnyDesk website and provides a download link for the trojan installer. Researchers found three intermediary websites used in this campaign.

Researchers said the hackers are spending $1.75 per click, but this doesn't equate to getting a shell on a target they're interested in.

"While it is unknown what percentage of Google searches for AnyDesk resulted in clicks on the ad, a 40% Trojan installation rate from an ad click shows that this is an extremely successful method of gaining remote access across a wide range of potential targets," said researchers.

Researchers notified customers and alerted Google to the malvertising campaign. "It appears that Google expeditiously took appropriate action because, at the time of this blog, the ad was no longer being served," researchers said.

Featured Resources

AI for customer service

IBM Watson Assistant solves customer problems the first time

View now

Solve cyber resilience challenges with storage solutions

Fundamental capabilities of cyber-resilient IT infrastructure

Free Download

IBM FlashSystem 5000 and 5200 for mid-market enterprises

Manage rapid data growth within limited IT budgets

Free download

Leverage automated APM to accelerate CI/CD and boost application performance

Constant change to meet fast-evolving application functionality

Free Download

Recommended

2022 IBM's Security X-Force cloud threat landscape report
Whitepaper

2022 IBM's Security X-Force cloud threat landscape report

22 Nov 2022
2022 Magic quadrant for Security Information and Event Management (SIEM)
Whitepaper

2022 Magic quadrant for Security Information and Event Management (SIEM)

22 Nov 2022
Seven realities facing SMBs as they enter a future of increased cyber threats
Whitepaper

Seven realities facing SMBs as they enter a future of increased cyber threats

21 Nov 2022
The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

14 Nov 2022

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

15 Nov 2022
The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

14 Nov 2022
Windows users now able to run Linux apps and distros natively
Microsoft Windows

Windows users now able to run Linux apps and distros natively

24 Nov 2022