January 11, 2023

Attackers are spreading Vidar information stealing malware using 1,300 domains impersonating AnyDesk official site. The malicious activity was uncovered by SEKOLA threat analyst crep1x. Crep1x shared the complete list of the malicious hostnames all of which linked to the same IP address of 185.149.120[.]9.

The malicious hostnames include typosquats for AnyDesk, MSI Afterburner, 7-ZIP, Blender, Dashlane, Slack, VLC, OBS, cryptocurrency trading apps, and others.

According to the researcher, the cloned sites pretended to be an installer for the AnyDesk software, and they were distributing a ZIP file named ‘AnyDeskDownload.zip.’ The installer then installs Vidar stealer instead of installing the remote access software.

After installation, the malware steals victims’ browser history, account credentials, saved passwords, cryptocurrency wallet data, banking information, and other sensitive data. The data will then be sent back to the attackers who could use it for other malicious activities.

To avoid clicking on promoted results (ads) in Google Search, users are advised to bookmark the sites they use for downloading software. They are also advised to find the official URL of a software project from their Wikipedia page or their OS’s package manager.

The sources for this piece include an article in BleepingComputer.