A large spoofing campaign aims to distribute Vidar’s information theft tool to as many endpoints as possible.
A cybersecurity researcher at SEKOIA, going by the pseudonym crep1x, discovered the campaign and raised the alarm on Twitter. In a short Twitter threat, the researcher said he had uncovered over 1,300 domains all impersonating major software brands to push malware (opens in a new tab).
Brands impersonating this campaign include AnyDesk, MSI Afterburner, 7-ZIP, Blender, Dashlane, Slack, VLC, OBS, and cryptocurrency trading apps. All these impersonating brands lead to the same website, an AnyDesk clone.
Theft of passwords and cryptocurrencies
For the uninitiated, AnyDesk is a remote desktop application that gives users remote access to their personal computers and allows them to transfer files and use them as a VPN.
Victims who visit these websites and attempt to download the application are redirected to the Dropbox folder where the Vidar information stealing tool is located. A variant of the Arkei infostealer, Vidar, is capable of stealing credit cards, login details, files, and downloading screenshots. It is also capable of stealing cryptocurrencies such as bitcoin or ether from the victim’s hot wallets (software wallets).
According to BleepingComputer, which reported the crep1x findings earlier this week, the campaign is still active and many of the typosquat domains are still active. Some have since closed. Dropbox has also been notified of its services being used to distribute malware and has since removed the link.
However, given that all malicious sites point to the same place, cyber criminals can easily survive by simply updating the download URL.
The best way to protect against such attacks is to be extra careful when downloading software and to ensure that your applications come only from verified sources. That said, going to the AnyDesk website (as opposed to clicking on a supposed AnyDesk link in an email or social media post) is a good place to start.
Through: Beeping Computer (opens in a new tab)