This isn’t the first time we’ve seen a fake version of AnyDesk, the popular remote desktop application, pushed via ads appearing in Google search results. Installing the legitimate remote administration tool AnyDesk and setting it to run in Safe Mode while connected to the network, ensuring continued command and control by the attacker and finally setting up a new account with auto login details and then connecting to the target's domain controller to remotely access and run the ransomware executable, called update.On Wednesday, breach prevention firm Morphisec posted an advisory in which it said that over the past month, it’s investigated the origins of paid ads that appear on the first page of search results and that lead to downloads of malicious AnyDesk, Dropbox and Telegram packages wrapped as ISO images. The command sequence takes approximately five seconds to execute and includes disabling Windows update services and Windows Defender and then attempting to disable the components of commercial security software solutions that can run in Safe Mode. The script issues and implements a series of consecutive commands that prepare the machines for the release of the ransomware and then reboots into Safe Mode. Sophos researchers investigating the ransomware deployment found that the main sequence starts with attackers using PDQ Deploy to run and execute a batch script called "love.bat," "update.bat," or "lock.bat" on targeted machines.
The Sophos Rapid Response team has so far seen AvosLocker attacks in the Americas, Middle East and Asia-Pacific, targeting Windows and Linux systems. AvosLocker is a relatively new ransomware-as-a service that first appeared in late June 2021 and is growing in popularity, according to Sophos.
0 kommentar(er)
