CTI Roundup: Mad Liberator Ransomware Targets AnyDesk Users

This week, CTI provides the latest updates from an ongoing social engineering campaign. Next, CTI looks at a relatively new ransomware operation called Mad Liberator. Finally, CTI wraps up with an overview of how the cybercriminal underground has evolved over the years.

1. New tools appear in ongoing social engineering campaign

Rapid7 has been tracking an ongoing social engineering campaign over the course of a few months. They are now observing a change in the tools the threat actor is using, including a shift from native Windows binaries to a .NET executable that pretends to download email spam filters.

According to Rapid7, the threat actor’s lure does not appear to change throughout this campaign. The actor will send a large quantity of emails to a victim and call the user — usually through Teams —pretending to offer a solution to a “problem.” The actor will convince the victim to install AnyDesk, allowing them to remotely access the device and carry out malicious activities.

The actor then executes antispam.exe, which pretends to download an email spam filter. This fake spam filter requires the user to input their credentials. The actor follows up with a series of binaries and scripts to connect to its C2 server. Several follow-on payloads have been observed in addition to reverse SSH tunnels and the Level remote monitoring and management (RMM) tool for lateral movement.

Technical details

While examining the secondary payloads leveraged in the attack, Rapid7 discovered that many of the payloads were signed with the same certificate.

Antispam.exe

As noted above, this is a credential harvester that pretends to be an email spam filter. The program will run through a loop that will print the same message 1,023 times to the window. This fake loop will end with a prompt to the user to enter their credentials and display a fake success message to the user.

Updatex.exe

The actor then runs a series of executables, each beginning with the word “update” followed by a number. The executables are all signed with the same certificate, but each performs a different function.

• Update1.exe pretends to be an installer for Yandex Disk, which is a cloud storage and file-sharing service. The payload will decrypt and execute a second executable via local PE injection. This second stage executable is a beacon and will reach out to the C2 server via a Golang HTTP client request. Rapid7 believes that, based on embedded strings, the server it connects to functions as a socks proxy.
• Update4.exe pretends to be a copy APEX Scan, which is an AV scanner from Trend Micro containing malicious code. Once this executes, it will launch shellcode responsible for reaching out to the C2 and serving as a socks proxy.
• Update6.exe attempts to exploit CVE-2022-26923 as a way to add a machine account if the domain controller is vulnerable. The source code is believed to have been copied from a publicly available Cobalt Strike module.
• Update7.exe, along with Update8.exe, contains SystemBC malware. This malware functions as a socks proxy but also as a dropper for additional payloads.

Analyst comments from Tanium’s Cyber Threat Intelligence team

The threat actor is changing the tools/payloads in the attack, but not the initial lure. It’s apparent that the threat actor must be having some level of success by bombarding victims with emails and then calling to offer a solution to the problem they created.

That said, it’s surprising to think that this lure may be proving to be successful. Organizations must anticipate these calls in advance and be on the lookout for fraudulent activity.

2. Mad Liberator ransomware targets AnyDesk users

Sophos has recently been investigating a relatively new ransomware operation called Mad Liberator. This actor first appeared in July 2024 and targets victims with AnyDesk installed, making unsolicited calls in hopes that a victim will accept the connection request.

Like many ransomware operations, Mad Liberator focuses on data exfiltration. Sophos has not yet observed any cases in which the actor encrypted data, though some other research suggests that the group may occasionally use encryption. The actor maintains a data leak site to publish its victims to and primarily uses social engineering techniques for initial access.

Mad Liberator’s attack flow

The threat actor heavily relies on the use of AnyDesk and targets victims with it already installed. Sophos has not identified how the attacker targets a particular AnyDesk ID and has not identified connections or contact between the actor and the victim before the victim receives an unsolicited AnyDesk connection request.

In the incident that Sophos observed, the victim knew that AnyDesk was legitimately used by their organization’s IT department and assumed that the connection request was part of the IT team’s normal operations. Once the victim accepted the connection request the threat actor was able to transfer a malicious binary to their device and execute it.

The transferred binary was called “Microsoft Windows Update” to avoid suspicion and even displayed a screen to the victim that mimicked a Windows update. The actor then used a feature of AnyDesk to disable input from the user’s keyboard and mouse so that they could not attempt to interfere with the execution.

While the fake Windows update was displayed to the user the actor went on to access the victim’s OneDrive account. They used the “AnyDeskFileTransfer” option to exfiltrate files from the OneDrive account. The actor then moved on to use Advanced IP Scanner to see if other devices in the network could be laterally accessed. After exfiltration, the actor created several ransom notes and dropped them at multiple locations, not just on the victim’s device.

Analyst comments from Tanium’s Cyber Threat Intelligence team

For Mad Liberator to work, an end user must first accept an unsolicited AnyDesk connection request. This technique should appear suspicious to end-users.

If this actor evolves to leverage additional social engineering in its initial access methods, it will likely be much more successful in getting users to accept AnyDesk connection requests.

3. Bitdefender explores the evolving cybercriminal underground

A recent report from Bitdefender explores how the cybercriminal underground continues to evolve.

“Gone are the days of the bragging rights hacks that were (relatively) harmless,” Bitdefender says.
“Now threat actors work as part of well-oiled organizations, racking up millions per year by outright compromising organizations or lending their services to other, less-skilled adversaries.”

According to Bitdefender, this shift was driven by a wider digital attack surface, the emergence of more dark web marketplaces, large volumes of leaked data, private communication platforms like Signal and Telegram, cryptocurrency, and higher payouts.

Today there are many different types of cybercriminal organizations leveraging the dark web. These range from independent actors and small-medium-sized groups to large groups like Conti. Regardless of the type of group, they tend to use the cybercriminal underground to make money. This is often accomplished by selling exploits, stolen data, malware, ransomware, access to compromised organizations, services, and more.

Bitdefender outlines a few specific things that are driving activities on the cybercriminal underground:

• Spam and phishing services comprise a significant portion of the cybercriminal underground. These services are typically offered via the dark web or other communication platforms and can include extensive services. Customers of these services have the option to purchase various pieces of the service like bulk email lists, access to compromised servers, and phishing kits.
• Proxies for hire are another component of the underground market. Malicious proxies often leverage infected networks to mask the origin of malicious activity. Threat actors leverage these proxies to launch attacks and make it challenging for defenders to determine the true origin of the activity. They also provide a level of anonymity for the actor.
• APT groups will often attempt to mask their espionage-focused efforts with ransomware and will mimic TTPs of other actors to avoid attribution.

Recent advancements

Bitdefender noticed a few patterns that reveal how the landscape is continuing to shift. For example, one pattern is seen in information sharing. Just like organizations openly share information to help the broader world protect against specific security threats, actors are also sharing educational information and notices about law enforcement tactics to help prevent other actors from being caught.

Another trend is seen in the adoption of AI, which is being used by less sophisticated actors as a cheat code to carry out more sophisticated attacks.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Threat actors are constantly adapting to the changing world around them and reacting to geopolitical and technological advancements to remain effective.

According to Bitdefender, there is no single answer or solution that can completely eliminate the risk that threat actors pose. However, “by understanding how they work, what motivates them, and how they’re actively attacking organizations, you can make more informed decisions as you develop a comprehensive cyber resiliency strategy.”

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum and start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.