The stealer was developed in python and then converted into an executable file. The figure below shows the static details of the malicious binary file.įigure 4 – Static file details of Mitsu Stealer The downloaded Anydesk.exe file is a 64-bit Microsoft Visual C/C++ GUI-based Windows executable with a file size of ~28MB. The detailed behavior of the stealer is explained in the Technical Details section. We have discovered that the downloaded Anydesk.exe file is a stealer dubbed “MITSU STEALER.” Our investigation also shows that the TA created the stealer based on the code in the GitHub repository. The TA has also added the fake jobs opening on the phishing site in the Company -> Career section to appear genuine.įigure 3 – Fake job opening posted on phishing site When a user clicks on the “Order Now” button, it redirects the user to the subscription page, similar to the official Anydesk website, as shown in the below image. The phishing site is well-designed, and the TAs behind this phishing campaign has implemented all tabs present on the website. The phishing site looks very similar to the genuine Anydesk website. The initial infection starts when the user clicks on the “Downloads” button present in the phishing site, which downloads a malware named “Anydesk.exe” file from the remote server.įigure 1 – Phishing site impersonating AnyDesk and downloading malware
AnyDesk is a remote desktop application that offers remote access to other computers, file transfer, and other functionalities.
Recently, CRIL identified a phishing site, “ hxxp://anydeskml,” impersonating a genuine AnyDesk website. Generally, the link of these phishing pages arrives to users via SMS, Email, social networks, etc.Ĭyble Research and Intelligence Labs (CRIL) has also been regularly monitoring various phishing campaigns and discussing them.
Phishing sites are becoming an increasingly attractive target for Threat Actors (TAs) to lure victims into stealing sensitive information, and downloading other malware, such as RAT, Ransomware, etc., to damage the victim’s machine. Dubbed information stealer spotted stealing sensitive Data
0 kommentar(er)
