Overview
In the wake of the recent breach involving AnyDesk, a popular remote desktop software with over 170,000 customers, where threat actors managed to steal a code signing certificate, organizations worldwide are on high alert. Although there are rumors about stolen customer database, it’s not true and proven as of now. The credentials shared for sale on the hacker forums seem to be from earlier infostealer infections of AnyDesk users. The nature of the attack is not known yet.
At the time of posting, known good hashes of AnyDesk releases have not yet been published, so the defenders can not exclude the real releases from threat hunting processes. The theft of a digital signing certificate of AnyDesk heightens the risk by enabling attackers to sign malicious software, making it appear as if it were a legitimate update or release from AnyDesk. This deceptive authenticity might have led unsuspecting users to install the compromised software, unintentionally allowing malware entry into their systems.
Unmasking Hidden Malware: Beyond Signature-Based Detection
In cases like this, it becomes essential to not only rely on signature-based systems which often fail to detect never-before-seen malware, but to actually analyze the behavior of software applications. Through behavioral analysis, we were able to uncover hidden malicious activities that would not be evident through static analysis.
Within this backdrop, you may want to look for ways to detect and analyze suspicious binaries on their systems. One example involves an Agent Tesla sample detected on VirusTotal, which was misleadingly signed with AnyDesk’s (Philandro Software) certificate. This instance underscores how legitimate digital certificates can be exploited to mask bad activities, thereby complicating the detection process.
Image 1: VMRay Analysis Report with Extracted Configurations & IOCs
The Agent Tesla sample in question exhibited interesting behaviors, including extensive system fingerprinting—where it queried network configurations, collected hardware information, and gathered operating system details. These actions are indicative of an attacker’s intent to understand the environment it has infiltrated thoroughly, potentially to tailor further exploits or lateral movement strategies within the victim’s network.
Moreover, the sample demonstrated the ability to perform process injection, a technique where malicious code is written into the memory of another process or modifies the control flow of another process. For instance, the binary named “draft itinerary 2024 tour plan – a best outbound client.exe” was observed modifying the memory and altering the context of “aspnet_compiler.exe”, a legitimate process. These injection techniques are critical as they allow malware to execute code in the context of another process, thereby evading detection by endpoint security solutions and gaining elevated privileges.
Advanced Threat Hunting: Sandboxing as A Weapon Against Evolving Malware
The sophistication of such malware, especially when hidden under a legitimate certificate, poses a significant threat to organization-wide security, highlighting a potential vector for supply chain attacks. Attackers exploiting trusted certificates can distribute malware more effectively, as the malicious software might not be flagged immediately by security tools relying solely on signature-based detection. This scenario underscores the potential for such attacks to compromise multiple parts of a supply chain, leveraging the trust and interdependencies between organizations and their software providers.
A security tool like VMRay, with advanced sandboxing capabilities are essential in this context as they allow for the safe execution and analysis of suspicious binaries, enabling the detection of malicious behaviors that signature-based tools might miss. By observing the behavior of a binary in a controlled environment, sandboxes can identify actions that betray malicious intent, such as system fingerprinting and process injection, even when the malware attempts to hide itself using legitimate credentials.
References:
A curated list of essential resources and links you may want to check out right away:
- AnyDesk FAQ & Public Statement:
https://anydesk.com/en/public-statement
https://anydesk.com/en/faq-incident
- VirusTotal search input for valid signed AnyDesk binaries (by Kevin Beaumont on Mastodon):
signature: “philandro Software GmbH”
signature: 9CD1DDB78ED05282353B20CDFE8FA0A4FB6C1ECE entity:file tag:signed NOT tag:invalid-signature
- YARA Rules to Detect Malicious Binaries:
By Florian Roth: Post on X
- Analysis report of VMRay (Binary detected by a YARA rule, signed with a signing certificate of AnyDesk (Philandro Software) and not necessarily being AnyDesk itself):
https://www.vmray.com/analyses/_vt/ac71f9ab4ccb/report/overview.html
