Targeted AnyDesk Ads on Google Served Up Weaponized App

Cause : Malvertising (malicious advertising) is the use of online advertising to spread and install malware or redirect your traffic. Cybercriminals inject infected ads into legitimate advertising networks that display ads on websites you trust. Then, when you visit a site, the malicious ad infects your device with malware — even if you don’t click it.

Use Case

A fake version of the popular remote desktop application AnyDesk, pushed via ads appearing in Google search results, served up a trojan laced version of the program. This campaign even toppled AnyDesk’s own ad campaign on Google – ranking higher in its paid results.

The campaign, active since April 22, is notable because the criminals behind the malicious ad managed to avoid Google’s anti-malvertising screening policing. As a result, researchers with Crowdstrike estimate, 40 percent of those that clicked on the ad began the installation of the malware. Twenty percent of those installations included “follow-on hands-on-keyboard activity” by criminals of the victim’s system, according a report on the incident published Wednesday.

Researchers said victims who downloaded the program were conned into executing a binary called AnyDeskSetup.exe. Once executed, the malware attempted to launch a PowerShell script.

Researchers explained they first, “observed a suspicious file masquerading as AnyDesk. However, this was not the legitimate AnyDesk Remote Desktop application — rather, it had been weaponized with additional capabilities.”

The file bogus executable was signed by “Digital IT Consultants Plus Inc”, instead of the legitimate creators “philandro Software GmbH”.

“Upon execution, a PowerShell implant was written to %TEMP/v.ps1 and executed with a command line switch of “-W 1″ to hide the PowerShell window.” Researchers noted the PowerShell used by criminals is similar to a script delivered by hacker’s behind a malicious a Zoom installer found in April.

“The logic we observed is very similar to logic observed and published by Inde, where a masqueraded Zoom installer dropped a similar PowerShell script from an external resource,” researchers wrote.

The Stake

Researchers estimate attackers spent about $1.75 per click.

“While it is unknown what percentage of Google searches for AnyDesk resulted in clicks on the ad, a 40 percent Trojan installation rate from an ad click shows that this is an extremely successful method of gaining remote access across a wide range of potential targets.”

Crowdstrike notified affected customers and alerted Google of the ad abuse.

“It appears that Google expeditiously took appropriate action, because at the time of this blog, the ad was no longer being served,” the report noted.

Ads Against Users

Google needs to take more responsibility when it comes to policing its own ad network.

“Companies such as Google need to develop better screening measures for legitimate organizations versus cyber criminals,This most likely will be counterproductive to their current business model.”

According to Google, it relies on a combination of humans and automated tools to block abusive ads. “Google actively works with trusted advertisers and partners to help prevent malware in ads,” it describes. “Google’s proprietary technology and malware detection tools are used to regularly scan all creatives.”

Despite Google’s efforts to mitigate malvertising on its ad network, some experts believe advertising behemoth and others need to go further.

Jennifer Geisler, chief marketing officer at Vectra AI, says, she thinks pressure will start to mount on these platforms to do more to block cybercriminals from using their tools.

“Just as SolarWinds is being called out for a breach of its platform, it may be time to apply the same governance to other platforms, such as advertising, when attackers work around the system to violate end users,”

How to prevent malvertising

Since many malicious ads can attack you as soon as they load in your browser, refusing to click is not enough. To properly protect yourself against malvertising campaigns, follow these well known cybersecurity guidelines:

  • Use an ad blocker. If you block ads from showing up in your browser, malvertising campaigns won’t reach you. Ad blockers are great for a variety of reasons, and this security bonus surely is one of them.
  • Practice smart website safety. Learn the telltale signs of spoofed websites, such as a lack of HTTPS encryption or an incomplete terms and conditions page. Learning how to determine whether or not a website is safe can help you avoid pharming traps.
  • Disable browser plugins. In your browser settings, you can set which plugins can run by default. Since many malicious ads exploit plugins to execute their attacks, disabling plugins can stop them in their tracks. And if you do use plugins, always keep them updated. This was a bigger risk when Adobe Flash was still active, but Adobe has graciously killed the vulnerability-plagued plugin for good.

Be the first to comment

Leave a Reply