Hundreds of fake AnyDesk sites push Vidar info-stealing malware

(Image credit: Elchinator from Pixabay)

A major impersonation campaign is aiming to distribute the Vidar infostealer to as many endpoints as possible. 

Cybersecurity researcher from SEKOIA, going under the name crep1x, discovered the campaign and rang the alarm on Twitter. In a short Twitter threat, the researcher said he discovered more than 1,300 domains, all of which impersonate major software brands to push the malware

The brands impersonated in this campaign include AnyDesk, MSI Afterburner, 7-ZIP, Blender, Dashlane, Slack, VLC, OBS, and cryptocurrency trading apps, to name a few. All of these impersonated brands lead to the same website, a clone of AnyDesk.

Stealing passwords and cryptocurrency

For the uninitiated, AnyDesk is a remote desktop application that gives users remote access to personal computers and allows them to transfer files and be used as a VPN

Victims that navigate to these sites and try to download the application would be redirected to a Dropbox folder hosting the Vidar infostealer. A variant of the Arkei infostealer, Vidar is capable of stealing credit cards, login credentials, files, and grab screenshots. It is also capable of stealing cryptocurrencies, such as bitcoin or ether, from the victim’s hot wallets (software wallets). 

According to BleepingComputer, which reported on crep1x’s findings earlier this week, the campaign is still active and many of the typosquatted domains are still active. Some have been shut down in the meantime. Dropbox was also notified of its services being abused to distribute malware and has killed the link in the meantime. 

However, given that all of the malicious sites point to the same place, the threat actors can persist easily by simply updating the download URL.

The best way to protect against such attacks is to be extra careful when downloading software and making sure the apps are only obtained from verified sources. That being said, navigating to the AnyDesk website (as opposed to clicking a supposed AnyDesk link in an email or a social media post) is a good place to start.

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.