You receive an error message that states, "Your video adapter does not meet the game requirements." The 3D Acceleration option is unavailable. When you try to start one of the games that are listed in the "Applies to" section, you experience one of the following symptoms: Once the file has been copied there then it tries to collect and steal data using sqlite3.dll for exfiltration.DirectDraw or Direct3D option is unavailable Symptoms The list of all the crypto wallets that it tries to steal are provided in the list below:įor Microsoft Edge, the malware accessed the paths where its database is stored and copied the database file to path where malware has executed itself. These are only a few of the wallets that it is looking for. It works in such a way that the malware executes itself and deletes the evidences leaving only the original anydesk binary so that the user won’t get suspicious. The second file was anydesk2.exe, which I believe is the genuine anydesk software application. I quickly made a copy of it for further analysis. With the help of procmon, I found that the installer extracts two files, one is the anydesk1.exe, which is the actual malware and deletes itself after the execution. Opened my Windows 10 VM with IDA pro, process hacker and procmon installed in it and started exploring this installer. I searched around a little bit and found that the malware has been distributed from an unofficial domain called as yet the official domain is I downloaded the malicious installer.
I was very interested since I am also a frequent user of anydesk. It all started when I came across a tweet saying a trojanized anydesk version has been circulating in the wild. I believe this is a Russian malware since it is targeting everyone excluding Russia and some neighboring countries like Belarus and Kazakh. The malware has been hitting browsers and stealing bitcoin crypto wallets of multiple vendors. This blog provides a detailed analysis of anydesk application that has been trojanized and distributed from a ranked unofficial website.
0 kommentar(er)
