A fake version of the popular remote desktop application AnyDesk, pushed via ads appearing in Google search results, served up a trojanized version of the program. The campaign even bested AnyDesk’s own ad campaign on Google – ranking higher in its paid results.
The campaign, active since April 22, is notable because the criminals behind the malicious ad managed to avoid Google’s anti-malvertising screening policing. As a result, researchers with Crowdstrike estimate, 40 percent of those that clicked on the ad began the installation of the malware. Twenty percent of those installations included “follow-on hands-on-keyboard activity” by criminals of the victim’s system, according a report on the incident published Wednesday.
Researchers said victims who downloaded the program were conned into executing a binary called AnyDeskSetup.exe. Once executed, the malware attempted to launch a PowerShell script.
Researchers explained they first, “observed a suspicious file masquerading as AnyDesk… However, this was not the legitimate AnyDesk Remote Desktop application — rather, it had been weaponized with additional capabilities.”
The file bogus executable was signed by “Digital IT Consultants Plus Inc”, instead of the legitimate creators “philandro Software GmbH”.
“Upon execution, a PowerShell implant was written to %TEMP/v.ps1 and executed with a command line switch of “-W 1″ to hide the PowerShell window.” Researchers noted the PowerShell used by criminals is similar to a script delivered by hacker’s behind a malicious a Zoom installer found in April.
“The logic we observed is very similar to logic observed and published by Inde, where a masqueraded Zoom installer dropped a similar PowerShell script from an external resource,” researchers wrote.
Malvertising Works
Researchers estimate attackers spent about $1.75 per click.
“While it is unknown what percentage of Google searches for AnyDesk resulted in clicks on the ad, a 40 percent Trojan installation rate from an ad click shows that this is an extremely successful method of gaining remote access across a wide range of potential targets.”
Crowdstrike notified affected customers and alerted Google of the ad abuse.
“It appears that Google expeditiously took appropriate action, because at the time of this blog, the ad was no longer being served,” the report noted.
Ad Platforms Turned Against Users
Joseph Neumann, a cyber executive advisor at Coalfire, said Google needs to take more responsibility when it comes to policing its own ad network.
“Companies such as Google need to develop better screening measures for legitimate organizations versus cybercriminals,” Neumann told Threatpost. “This most likely will be counterproductive to their current business model.”
According to Google, it relies on a combination of humans and automated tools to block abusive ads. “Google actively works with trusted advertisers and partners to help prevent malware in ads,” it describes. “Google’s proprietary technology and malware detection tools are used to regularly scan all creatives.”
Despite Google’s efforts to mitigate malvertising on its ad network, some experts believe advertising behemoth and others need to go further.
Jennifer Geisler, chief marketing officer at Vectra AI, told Threatpost she thinks pressure will start to mount on these platforms to do more to block cybercriminals from using their tools.
“Just as SolarWinds is being called out for a breach of its platform, it may be time to apply the same governance to other platforms, such as advertising, when attackers work around the system to violate end users,” she said.
Join Threatpost for “A Walk On The Dark Side: A Pipeline Cyber Crisis Simulation”– a LIVE interactive demo on Wed, June 9 at 2:00 PM EDT. Sponsored by Immersive Labs, find out whether you have the tools and skills to prevent a Colonial Pipeline-style attack on your organization. Questions and LIVE audience participation encouraged. Join the discussion and Register HERE for free.