A massive campaign is using more than 1,300 domains to impersonate the official AnyDesk site, redirecting to a Dropbox folder pushing the Vidar information-stealing malware. In the newly discovered campaign, the sites were distributing a ZIP file named ‘AnyDeskDownload.zip’ that installs Vidar stealer.
The malware steals victims’ browser history, account credentials, saved passwords, cryptocurrency wallet data, banking information, and other sensitive data. This data is then sent back to the attackers, who could use it for further malicious activity or sell it to other threat actors.
Instead of hiding the malware payload behind redirections to evade detection and takedowns, the recent Vidar campaign used the Dropbox file hosting service, which is trusted by AV tools, to deliver the payload.
A threat analyst shared the complete list of the malicious hostnames including typosquats for AnyDesk, MSI Afterburner, 7-ZIP, Blender, Dashlane, Slack, VLC, OBS, cryptocurrency trading apps, and other popular software, that resolve to the same IP address. They all lead to the same AnyDesk clone site.
AnyDesk is a popular remote desktop application for Windows, Linux, and macOS, used by millions of people worldwide for secure remote connectivity or performing system administration. Users are advised to bookmark the sites they use for downloading software, avoid clicking on promoted results (ads) in Google Search, and find the official URL of a software project from their Wikipedia page, documentation, or their OS’s package manager.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.