Anydesk software has been used to spread Babcock ransomware

We usually see that ransomware attacks are placed through exploitative, unwanted malicious emails (malspam) or malicious Microsoft Office documents. Attackers deceive unsuspecting users to enable macros etc. In addition to these common attack tactics, we’ve found a new way to use the Anydesk software fake websites to spread Babuk ransomware. Anydesk is a remote-control tool that allows users to access remote computers and other devices running the host application.
Babuk Ransomware is very active recently. Its strategy for encryption is not very different from other ransomware families. Over time, ransomware releases new variants and improves its attack mechanism to target new victims.

Figure 1. Primary vector of infection

When a user tries to download anydesk software from an unknown suspicious link, a fake website appears, which allows you to download anydesk software. This fake website looks like the real Anydesk website. When a user clicks to download Anydesk software, ransomware is also downloaded because it is bundled with Anydesk software as a self-extracting archive (in this case, it is not in any setup file). It does this for the purpose of deception.

For example, a search on Anydesk on Microsoft or Bing yields the following results. The first website is not related to the official Anydesk application and after clicking on the Setlog website, ads.htm redirects to a malicious website that downloads ransomware.

Figure 2. Searching the Anydesk application

Similarly, we found another suspicious link for the Anydesk application, which is mentioned below.
URL:
https[:]// Anydesk1[.]Website seguro[.]com / downloads / windows /? _ ga = 2.165501695.1936674747.1628634255-780551265.1627305233
Downloaded file name: Setup_Anydesk.exe

Figure 3. After clicking on the downloaded file, an installation window will appear

We analyzed the downloaded archive and discovered that it contained a clean Anydesk setup, including a Babuk downloader, an RAT file, and a REG file.

Figure 4. Files inside an archive

Understanding the transmission process
When a user clicks on the downloaded archive, which pretends to be an Anydesk software application, the other files in the bundle are silently dropped. The image above shows an Allaco Rat client named bthudtaskt.exe, a babuk downloader named mdnsFULLHD.exe and a registry file named Anydesk. Reg fell into the startup folder without user interaction. The Clean Anydesk application is dropped on the desktop, and it is installed. All dropped files in the Startup folder are executed by PowerShell and their activity in the background.

Anydesk.Reg:

Any desk. reg file enableLUA Disables user account control by setting the value to 0. This disables Windows Defender by setting the value of DisableAntiSpyware to 1. Disables real-time protection by setting values by malware 1.

Allacore RAT Client:
AllaKore Rat is an open-source easy-to-use remote access tool that is very similar to the code written in Delphi and found in GitHub.

Babuk downloader has launched Allakore Rat, and it requests TCP, as shown below.

Babuk Downloader:
The file ‘mdnsFULLHD.exe’ is PE32 executable for MS Windows, and it is compiled by Delphi. It’s huge (~ 12MB) because it contains a lot of code to weaken the defense. It launches the Allakore Rat ùsing PowerShell cmdlet set-choice, requesting TCP as shown above.
It uses the PowerShell cmdlet Set-MpPreference to hide all malware from Windows Defender and adds the following paths, except for Windows Defender modules.

Such as:
cmd.exe / c PowerShell -Command Add-ampPreference -ExclusionPath “C: Users XXX Contacts”
cmd.exe / c PowerShell -Command Add-MPPreference -ExclusionPath “C: Users XXX Links” etc.
Excluded by running cmd.exe above. The malware also removes the drives below.

It contains a list of AVs, shown below, and checks to see if any antivirus products are installed on the system.

The following prompt appears asking the user to intervene and uninstall the product if an antivirus process is running on the system. When the user clicks the Next button, the Control Panel opens to uninstall the software, and in the background, checks for malware uninstalled.

Malware disables Task Manager, and it weakens all modules of Windows Defender.
Further digging into the file reveals that the malware sent an HTTP request to download the BAT file and .exe file. Domains used are:
“hxxp: //suporte01928492.redirectme.net/Update7/Update.bat.rar”
“hxxp: //suporte01928492.redirectme.net/Update7/Update.exe.rar”
These downloaded files are stored here:
Folder “C: Users AppData Roaming Microsoft Windows Start Menu Programs Startup”. The malware creates these files and names according to the username and then silently executes both files using PowerShell.
Files created: .exe and .bat
For example, if the username is ABC, then the file names in the folder mentioned above are ABC.exe and ABC.bat.

Update.bat

It contains the following settings, which are implemented through PowerShell, which helps to prevent malware:
Hide toggle notifications per user
Hide Windows Defender notifications on the Sister icon
Disable dialog prompt.
Cascade height.

Update.exe: BABUK payload
Downloaded Update.exe file is a Babuk ransomware payload. This is a UPX packed file, and the size is small, about 25 KB. Malware compiled in C / C ++.
Once implemented, it launches the vssadmin.exe process to delete all shadow copies using the “vssadmin.exe shadow / all / quiet” command. It creates “mutex” in the system with the name “DoYouWantToHaveSexWithChuongDong”.
Malware shuts down all listed processes, which prevents file encryption. It empties the Recycle Bin by calling the SHEmptyRecycleBinA () function and it counts system folders and drives and creates a ransom note in each folder.

Fig. Ransom note

It encrypts all files with the “.doydo” extension. An extension may vary according to the downloaded payload variant.

Image. Encrypted file

The malware adds the string “Chong dong looks like a hot dog !!” At the end of the encrypted content of all encrypted files.

After a successful attack, if the victim does not pay the ransom as claimed, the malware author either discloses encrypted data or sells it in underground forums.

Conclusion:

This use is not limited to a specific threat actor. However, we believe that such infections are affecting a wide range of Anydesk users. Using tools like Anydesk or other administrative agencies, malware authors can easily take administrative advantage of the victim’s computer and perform malicious activity on the system.
Lastly, we urge the customer to be very careful when downloading software or clicking on any link received via email, message or WhatsApp. Always check that the website is official and secure.
Here are some additional guidelines that will help minimize potential damage to the attack surface and IT infrastructure.

Avoid downloading software from unreliable P2P or torrent sites. In most cases, they resort to malicious software. In this case, use https://Anydesk.com/en/downloads To download Anydesk software.
Always keep your security software (antivirus, firewall, etc.) up to date to protect your computer from new forms of malware.
Don’t download cracked / pirated software, as they run the risk of backdoor entry for malware into your computer.
Audit local / domain users and remove / disable unwanted users.
Do not assign user administrator privileges.
Wherever possible, enable multi-factor authentication to ensure that all logins are valid
Do not log in as an administrator unless it is strictly required.
Avoid browsing, opening documents, or other regular activities while logging in as an administrator.
While signature-based protections alone are insufficient to detect and prevent sophisticated ransomware attacks designed to evade traditional protections, they are an essential element of a comprehensive security approach.
Respond carefully and sensitively to the warnings raised by behavior-based detection systems and anti-ransomware protection systems. We like to block / deny unknown applications detected by these systems.
Audit RDP access and disable it if not needed. Otherwise, set appropriate rules to allow access only from specific and purposeful hosts.
In almost all cases, attackers use the PowerShell script to exploit vulnerabilities, so disable PowerShell on the network. If you need PowerShell for internal use, try blocking PowerShell.exe from connecting to public access.
Always use a combination of online and offline backup of all your files.

How fast healing protects its users:

Quick Hill products are equipped with multi-level detection technologies such as IDS / IPS, EDR, DNA scan, email scan, NGAV, web protection, and patented anti-ransomware detection. This multi-layered security approach helps protect our customers from Babuk Ransomware and other known, unknown threats.