AnyDesk Incident Aftermath: Detecting Signature-Exploiting Malware

Navigating The Aftermath of The AnyDesk Incident

Feb 07th 2024

Navigating The Aftermath of The AnyDesk Incident: Detecting Signature-Exploiting Malware

In the wake of the shocking AnyDesk incident, a critical question lingers: are we equipped to handle the ever-evolving threat of signature-exploiting malware? Let’s delve deep into the complexities of post-breach detection and uncover the cutting-edge strategies needed to stay ahead of these sophisticated threats.

07 February 2024

Table of Contents

Overview

In the wake of the recent breach involving AnyDesk, a popular remote desktop software with over 170,000 customers, where threat actors managed to steal a code signing certificate, organizations worldwide are on high alert. Although there are rumors about stolen customer database, it’s not true and proven as of now. The credentials shared for sale on the hacker forums seem to be from earlier infostealer infections of AnyDesk users. The nature of the attack is not known yet.

At the time of posting, known good hashes of AnyDesk releases have not yet been published, so the defenders can not exclude the real releases from threat hunting processes. The theft of a digital signing certificate of AnyDesk heightens the risk by enabling attackers to sign malicious software, making it appear as if it were a legitimate update or release from AnyDesk. This deceptive authenticity might have led unsuspecting users to install the compromised software, unintentionally allowing malware entry into their systems.

Unmasking Hidden Malware: Beyond Signature-Based Detection

In cases like this, it becomes essential to not only rely on signature-based systems which often fail to detect never-before-seen malware, but to actually analyze the behavior of software applications. Through behavioral analysis, we were able to uncover hidden malicious activities that would not be evident through static analysis.

Within this backdrop, you may want to look for ways to detect and analyze suspicious binaries on their systems. One example involves an Agent Tesla sample detected on VirusTotal, which was misleadingly signed with AnyDesk’s (Philandro Software) certificate. This instance underscores how legitimate digital certificates can be exploited to mask bad activities, thereby complicating the detection process.
Image 1: VMRay Analysis Report with Extracted Configurations & IOCs
Image 1: VMRay Analysis Report with Extracted Configurations & IOCs
The Agent Tesla sample in question exhibited interesting behaviors, including extensive system fingerprinting—where it queried network configurations, collected hardware information, and gathered operating system details. These actions are indicative of an attacker’s intent to understand the environment it has infiltrated thoroughly, potentially to tailor further exploits or lateral movement strategies within the victim’s network.

Moreover, the sample demonstrated the ability to perform process injection, a technique where malicious code is written into the memory of another process or modifies the control flow of another process. For instance, the binary named “draft itinerary 2024 tour plan – a best outbound client.exe” was observed modifying the memory and altering the context of “aspnet_compiler.exe”, a legitimate process. These injection techniques are critical as they allow malware to execute code in the context of another process, thereby evading detection by endpoint security solutions and gaining elevated privileges.

Advanced Threat Hunting: Sandboxing as A Weapon Against Evolving Malware

The sophistication of such malware, especially when hidden under a legitimate certificate, poses a significant threat to organization-wide security, highlighting a potential vector for supply chain attacks. Attackers exploiting trusted certificates can distribute malware more effectively, as the malicious software might not be flagged immediately by security tools relying solely on signature-based detection. This scenario underscores the potential for such attacks to compromise multiple parts of a supply chain, leveraging the trust and interdependencies between organizations and their software providers.

A security tool like VMRay, with advanced sandboxing capabilities are essential in this context as they allow for the safe execution and analysis of suspicious binaries, enabling the detection of malicious behaviors that signature-based tools might miss. By observing the behavior of a binary in a controlled environment, sandboxes can identify actions that betray malicious intent, such as system fingerprinting and process injection, even when the malware attempts to hide itself using legitimate credentials.

References:

A curated list of essential resources and links you may want to check out right away:

(1) AnyDesk FAQ & Public Statement:
https://anydesk.com/en/public-statement
https://anydesk.com/en/faq-incident

(2) VirusTotal search input for valid signed AnyDesk binaries (by Kevin Beaumont on Mastodon):
signature: “philandro Software GmbH”
signature: 9CD1DDB78ED05282353B20CDFE8FA0A4FB6C1ECE entity:file tag:signed NOT tag:invalid-signature

(3) YARA Rules to Detect Malicious Binaries:
By Florian Roth: Post on X

(4) Analysis report of VMRay (Binary detected by a YARA rule, signed with a signing certificate of AnyDesk (Philandro Software) and not necessarily being AnyDesk itself):
https://www.vmray.com/analyses/_vt/ac71f9ab4ccb/report/overview.html
Ertugrul Kara
Ertugrul Kara

Ertugrul Kara is the Senior Product Marketing Manager for VMRay. With a career spanning over 10 years in cybersecurity, he has seen the advancement of security products from open source firewalls to automation-powered threat detection technologies following the evolution of threat landscape.

He is currently focused on leading the marketing efforts for VMRay’s security automation solutions while enhancing the alignment between the products with enterprise customer needs.

Previously, he has held various roles in early stage security startups, led the product launch and growth strategies, and run his own startup specialized in network security.

Subscribe

Stay current on the threat landscape with industry-leading insights.

See VMRay in action.
Get full visibility into the most challenging threats.

Calculate how much malware false positives are costing your organization:
Malware False Positive Cost Calculator