Vulnerability Management, Threat Management, Malware

Vidar info-stealer deployed in widespread AnyDesk spoofing campaign

More than 1,300 domains have been leveraged in an ongoing widespread AnyDesk impersonation campaign aimed at distributing the Vidar information-stealing malware, BleepingComputer reports. Identified by SEKOIA threat analyst crep1x, the AnyDesk campaign involves various malicious hostnames including typosquats for AnyDesk, Slack, VLC, 7-ZIP, and other apps all of which resolve to the 185.149.120[.]9 IP address and redirect to a site cloning AnyDesk. All of the sites were deploying a file purporting to be an AnyDesk installer with the name "AnyDeskDownload.zip" that actually installs the Vidar stealer, which does not only target browser history and account credentials, but also saved passwords, cryptocurrency wallet data, and banking details. Attackers behind the latest campaign have leveraged Dropbox to facilitate payload delivery rather than depend on redirections to bypass detection. Vidar was recently observed by BleepingComputer to have been deployed in a separate campaign with more than 200 typosquatting domains masquerading 27 software brands.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.