A nearly discovered ransomware program drops its
malicious payload alongside the perfectly legitimate AnyDesk remote desktop
tool, possibly as a means to evade detection, according to researchers.
A sample of the malware, detected as
RANSOM_BLACKHEART, was found to generate a ransom note demanding a modest sum
of $50 in bitcoins in exchange for decrypting affected files, Trend Micro
reports in a May 1 blog post. The company refers to BLACKHEART as a
"fairly common ransomware, with a routine that encrypts a variety of files
that use different extensions as part of its routine."
While it's known that BLACKHEART infects its
victims via malicious sites, the company does not at this time understand the
specifics of that process. Trend Micro also found a similar sample that bundled
AnyDesk with the keylogger TSPY_KEYLOGGER.THDBEAH instead.
Developed by AnyDesk Software GmbG in Germany,
AnyDesk providers users with bidirectional remote access between personal
computers running on various operating systems and unidirectional access on the
Android and iOS mobile platforms. Other features include Transport Layer
Security, file transfers and client-to-client chat.
"We believe bundling AnyDesk with the
ransomware might be an evasion tactic," the blog post explains. "Once
RANSOM_BLACKHEART is downloaded, AnyDesk will start running in the affected
system's background -- masking the true purpose of the ransomware while it
performs its encryption routine."
Trend Micro researchers also speculate that cyber
offenders may be experimenting with AnyDesk as an alternative to TeamViewer, a
similar tool that has previously been abused by ransomware -- although in that
case, it was confirmed that TeamViewer connections were actually used to
install the malicious code.
Trend Micro reports that AnyDesk "has
acknowledged the existence of the ransomware, and has stated that they will be
discussing possible steps they can take."
💬 Security Discussion
Comments are disabled for this post.