>
A large impersonation campaign is aimed at spreading the Vidar infostealer to as many endpoints as possible.
SEKOIA cybersecurity researcher, under the name crep1x, discovered the campaign and raised the alarm on Twitter. In a short Twitter threat, the researcher said he had discovered more than 1,300 domains, all posing as major software brands to push the malware (opens in new tab).
The brands impersonated in this campaign include AnyDesk, MSI Afterburner, 7-ZIP, Blender, Dashlane, Slack, VLC, OBS, and cryptocurrency trading apps, to name a few. All these counterfeit brands lead to the same website, which is a clone of AnyDesk.
Steal passwords and cryptocurrency
For the uninitiated, AnyDesk is a remote desktop application that allows users to access PCs remotely and transfer files and use it as a VPN.
Victims who navigate to these sites and try to download the application are redirected to a Dropbox folder that hosts the Vidar infostealer. Vidar, a variant of the Arkei infostealer, can steal credit cards, credentials, files, and screenshots. It is also capable of stealing cryptocurrencies, such as bitcoin or ether, from victim’s hot wallets (software wallets).
According to BleepingComputer, which reported on crep1x’s findings earlier this week, the campaign is still active and many of the typosquatted domains are still active. Some have closed in the meantime. Dropbox was also made aware of its services being misused to distribute malware and has broken the link in the meantime.
However, since all malicious sites point to the same place, the threat actors can easily persist simply by updating the download URL.
The best way to protect against such attacks is to be extra careful when downloading software and make sure that the apps come only from verified sources. That said, navigating to the AnyDesk website (as opposed to clicking a supposed AnyDesk link in an email or social media post) is a good place to start.
Through: Beeping computer (opens in new tab)