A new data extortion group, tracked as Mad Liberator, is targeting AnyDesk users, running fake Microsoft Windows update screens to distract them while they steal data from targeted devices.
The operation came to light in July, and while researchers observing it have not seen any incidents involving data encryption, the gang has said on its data leak site that it uses AES/RSA algorithms to lock files.
Source: BleepingComputer
Targeting AnyDesk users
According to a report by cybersecurity firm Sophos, researchers said that Mad Liberator attacks begin with an unsolicited connection to a computer using the AnyDesk remote access application, which is popular among IT teams managing corporate environments.
It is unclear how the threat actor selects its targets, but one theory (although as yet unproven) is that Mad Liberator tries potential addresses (AnyDesk connection IDs) until one accepts the connection request.
Source: Sophos
If the connection request is approved, the attackers will drop the following binaries on the compromised system: Microsoft Windows Updatesa fake Windows Update splash screen will be displayed.
Source: Sophos
The sole purpose of this ploy is to distract victims while the threat actors use AnyDesk’s file transfer tool to steal data from OneDrive accounts, network shares, and local storage.
While the fake update screen is displayed, the victim’s keyboard is disabled to prevent disruption of the exfiltration process.
The attack observed by Sophos lasted for around four hours, but Mad Liberator did not perform any encryption of the data after it was extracted.
However, to maximize visibility in corporate environments, they dropped ransom notes on shared network directories.
Source: Sophos
Sophos noted that Mad Liberator was not observed interacting with its targets prior to AnyDesk’s connection request, nor were there any documented phishing attempts in support of the attack.
Regarding Mad Liberator’s extortion process, the threat actor states on their darknet site that they will first contact compromised companies and then “help” them resolve security issues and recover encrypted files once their financial demands are met.
If the victim company does not respond within 24 hours, their name will be published on an extortion portal and they will have seven days to contact the threat actors.
Five more days have passed since the ultimatum was issued, and with the ransom still unpaid, all of the stolen files have been made public on Mad Liberator’s website, which now lists nine victims.
