More than 1,300 domains have been leveraged in an ongoing widespread AnyDesk impersonation campaign aimed at distributing the Vidar information-stealing malware, BleepingComputer reports.
Identified by SEKOIA threat analyst crep1x, the AnyDesk campaign involves various malicious hostnames including typosquats for AnyDesk, Slack, VLC, 7-ZIP, and other apps all of which resolve to the 185.149.120[.]9 IP address and redirect to a site cloning AnyDesk.
All of the sites were deploying a file purporting to be an AnyDesk installer with the name "AnyDeskDownload.zip" that actually installs the Vidar stealer, which does not only target browser history and account credentials, but also saved passwords, cryptocurrency wallet data, and banking details.
Attackers behind the latest campaign have leveraged Dropbox to facilitate payload delivery rather than depend on redirections to bypass detection.
Vidar was recently observed by BleepingComputer to have been deployed in a separate campaign with more than 200 typosquatting domains masquerading 27 software brands.
Vulnerability Management, Threat Management, Malware
Vidar info-stealer deployed in widespread AnyDesk spoofing campaign
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds