A massive campaign using over 1,300 domains to impersonate the official AnyDesk site is underway, all redirecting to a Dropbox folder recently pushing the Vidar information-stealing malware. AnyDesk is a popular remote desktop application for Windows, Linux, and macOS, used by millions of people worldwide for secure remote connectivity or performing system administration. Due to the tool's popularity, malware distribution campaigns often abuse the AnyDesk brand. For example, in October 2022,
Cyble reported that the operators of Mitsu Stealer were using an AnyDesk phishing site to push their new malware. The new ongoing AnyDesk campaign was spotted by SEKOIA threat analyst
crep1x, who warned about it on Twitter and shared the complete list of the malicious hostnames. All of these hostnames resolve to the same IP address.
The list of the hostnames includes typosquats for AnyDesk, MSI Afterburner, 7-ZIP, Blender, Dashlane, Slack, VLC, OBS, cryptocurrency trading apps, and other popular software. However, regardless of the name, they all lead to the same AnyDesk clone site. At the time of writing this, most domains are still online, while others have been reported and taken offline by the registrars or are blocked by AV tools. Even for the sites that are up, their Dropbox links no longer work after the malicious file was reported to the cloud storage service. However, as this campaign all point to the same site, the threat actor can easily fix this by updating the download URL to another site.
