Upon execution, a PowerShell implant was written to %TEMP/v.ps1 and executed with a command line switch of “-W 1” to hide the PowerShell window.Registrant information for anydeskstatcom
"C:\Intel\rexc.exe" -exec bypass \Intel\g.ps1ĭuring a review of the process tree, we noticed that “rexc.exe” appeared to be a renamed PowerShell binary in an attempt to bypass and avoid detections.įigure 2. The initial activity triggered a detection within the CrowdStrike Falcon ® platform, tagged with MITRE’s technique T1036, “Masquerading.” An executable appeared to have been manipulated to evade detection and was attempting to launch a PowerShell script with the following command line: The initial detection described below kicked off an internal collaboration across CrowdStrike’s Falcon OverWatch™ threat hunting, Intelligence, and Threat Detection and Response teams to piece everything together and respond to this emerging activity across the CrowdStrike customer base.įalcon Complete used this combined effort to provide a quick and effective response by quickly triaging and remediating the affected hosts and notifying affected customers in a timely manner. However, this was not the legitimate AnyDesk Remote Desktop application - rather, it had been weaponized with additional capabilities. In this blog, we describe a clever malvertising campaign that led to the discovery of a weaponized AnyDesk installer that was being delivered via targeted Google ad searches for the keyword “anydesk.”īeginning as early as April 21, 2021, the CrowdStrike Falcon Complete™ team observed a suspicious file masquerading as AnyDesk called “AnyDeskSetup.exe” being written to disk and exhibiting suspicious behavior.
Although malvertising has been around for quite a while, it continues to be an effective way to lure unsuspecting users to install malware.
0 kommentar(er)
