Quote:A fake version of the popular remote desktop application AnyDesk, pushed via ads appearing in Google search results, served up a trojanized version of the program. The campaign even bested AnyDesk’s own ad campaign on Google – ranking higher in its paid results.
 
The campaign, active since April 22, is notable because the criminals behind the malicious ad managed to avoid Google’s anti-malvertising screening policing. As a result, researchers with Crowdstrike estimate, 40 percent of those that clicked on the ad began the installation of the malware. Twenty percent of those installations included “follow-on hands-on-keyboard activity” by criminals of the victim’s system, according a report on the incident published Wednesday.
 
Researchers said victims who downloaded the program were conned into executing a binary called AnyDeskSetup.exe. Once executed, the malware attempted to launch a PowerShell script. Researchers explained they first, “observed a suspicious file masquerading as AnyDesk… However, this was not the legitimate AnyDesk Remote Desktop application — rather, it had been weaponized with additional capabilities.”
 
The file bogus executable was signed by “Digital IT Consultants Plus Inc”, instead of the legitimate creators “philandro Software GmbH”.
 
“Upon execution, a PowerShell implant was written to %TEMP/v.ps1 and executed with a command line switch of “-W 1″ to hide the PowerShell window.” Researchers noted the PowerShell used by criminals is similar to a script delivered by hacker’s behind a malicious a Zoom installer found in April.
 
“The logic we observed is very similar to logic observed and published by Inde, where a masqueraded Zoom installer dropped a similar PowerShell script from an external resource,” researchers wrote.