AnyDesk Phishing Attack Evades Detection with Scheduled Task Persistence

A recent phishing campaign has been identified targeting Russian aerospace and aviation organizations, utilizing the AnyDesk remote access tool to establish persistent backdoors on compromised systems. This operation employs sophisticated techniques to evade detection, including the use of scheduled tasks and meticulous artifact deletion.

The attack initiates with a phishing email that impersonates a legitimate Russian federal research institute associated with aerospace activities. The email, sent from a recently registered domain mimicking the genuine organization, contains a password-protected archive labeled as an invoice. The password is provided within the email body, allowing recipients to access the contents while preventing automated scanners from inspecting the archive.

Upon extraction, the archive reveals an installer crafted with a legitimate packaging tool. This installer deploys files into a hidden directory and displays a decoy PDF to maintain the appearance of a legitimate invoice. Subsequently, a series of batch scripts execute, reaching out to a remote server to download another password-protected archive containing the actual payload.

The payload includes a portable version of AnyDesk, a command-line email tool, a compression utility, and a program named Tray Minimizer, which conceals application windows from the user. The script introduces a delay, likely to bypass automated sandbox analyses, before configuring AnyDesk with a predefined password. This setup enables the attacker to establish remote connections without user prompts, launching AnyDesk discreetly in the background.

To maintain persistence, the script creates a scheduled task disguised as a routine update process. This task ensures that AnyDesk runs automatically at system startup, providing the attacker with continuous access to the compromised machine. Additionally, the script packages AnyDesk’s configuration files, connection settings, and certificates into a new password-protected archive. This archive is then sent to an attacker-controlled email address using a legitimate SMTP mailing utility, granting the operators the necessary credentials to manage the session remotely.

To further evade detection, the script meticulously deletes all artifacts related to the attack, including the initial installer, batch scripts, and downloaded archives. This thorough cleanup process minimizes the likelihood of discovery by security tools or manual inspections.

Analysts from Seqrite have documented this campaign, noting its resemblance to tactics employed by the threat actor known as Rare Werewolf, also referred to as Librarian Ghouls. This group has a history of targeting industrial, engineering, and aerospace organizations across Russia, Belarus, and Kazakhstan.

The use of legitimate tools like AnyDesk, combined with sophisticated evasion techniques, underscores the evolving nature of cyber threats. Organizations must remain vigilant, implementing robust email filtering, user education, and endpoint detection measures to mitigate such risks.