Social engineering techniques and AnyDesk have been utilized by the Mad Liberator ransomware operation in attacks following its emergence last month, The Register reports.
Approval of an AnyDesk connection authorization request sent by Mad Liberator to one organization prompted the execution of a Windows update screen-emulating binary to obtain device control and access to a linked OneDrive account, as well as centralized server files, according to a report from Sophos X-Ops. Mad Liberator then proceeded to exfiltrate files via the AnyDesk FileTransfer facility before using the Advanced IP Scanner to scan for other devices that could be breached and running a ransom note, with the nearly four-hour intrusion ending with the restoration of device control to the victim, said Sophos X-Ops researchers. "We did note that the binary was manually triggered by the attacker; with no scheduled task or automation in place to execute it again once the threat actor was gone, the file simply remained on the affected system," researchers added.