Tuesday, March 19, 2024

New Ransomware Called “BlackRouter” Attack launched through Well-known Legitimate Remote Desktop Tool

Newly discovered BlackRouter ransomware propagating thorough Well-known remote desktop tool called AnyDesk along with malicious Payload.

AnyDesk is widely used Remote Desktop Tool similar to Teamviewer that capable of bidirectional remote control between different desktop operating systems, including Windows, macOS, Linux and FreeBSD, as well as unidirectional access on Android and iOS.

Cybercriminals abusing AnyDesk to distribute the new BlackRouter ransomware with the AnyDesk tool package bundle to infiltrate the victim’s system.

BlackRouter Ransomware bundle with legitimate tool might the technique that attackers used to evade the security software detection.

BlackRouter ransomware Infection Process

Initial propagation starts from vicitms who have been downloaded this ransomware unknowingly from the various malicious website or compromised sites that turned into a malware distribution medium.

Later ransomware dropped two different files into victims computer and execute it to perform the further malicious process.

  • %User Temp%\ANYDESK.exe
  • %User Temp%\BLACKROUTER.exe

First file contains AnyDesk that can perform file transfers, provide a client to client chat and can also log sessions. in this case, attackers using an old version of AnyDesk not a new version.

Second file referred to the actual BlackRouter ransomware to encrypt the infected system files that encrypt different type of extension such as .gif, .mp4, .pdf, .xls etc.

According to Trend Micro, During the infection process, AnyDesk will start running in the affected system’s background and BlackRouter ransomware searches the files in following folders and encrypt all the files.

  • %Desktop%
  • %Application Data%
  • %AppDataLocal%
  • %Program Data%
  • %User Profile%
  • %System Root%\Users\All Users
  • %System Root%\Users\Default
  • %System Root%\Users\Public
  • All Drives except for %System Root%

After it completes the encryption process, it displays the ransom notes that contain the detailed information about what just could happen within the infected computer.

It demands to pay $50 in bitcoin to provide an access to the locked files. and its says, once vicitms paid the ransom amount then they will receive the decryption key via Telegram.

Also, it warned vicitms not to shut down the computer and if they do that then all the encrypted files will be locked forever.

Cybercriminals may be experimenting with AnyDesk as an alternative because Teamviewer’s developers have acknowledged its abuse, and have also included some anti-malware protection in some of its tools. Reserachers said.

Website

Latest articles

Hackers Exploiting Microsoft Office Templates to Execute Malicious Code

In a cyberattack campaign dubbed "PhantomBlu," hundreds of employees across various US-based organizations were...

How ANY.RUN Malware Sandbox Process IOCs for Threat Intelligence Lookup?

The database includes indicators of compromise (IOCs) and relationships between different artifacts observed within...

CryptoWire Ransomware Attacking Abuses Schedule Task To maintain Persistence

AhnLab security researchers detected a resurgence of CryptoWire, a ransomware strain originally prevalent in...

E-Root Admin Sentenced to 42 Months in Prison for Selling 350,000 Credentials

Tampa, FL – In a significant crackdown on cybercrime, Sandu Boris Diaconu, a 31-year-old...

WhiteSnake Stealer Checks for Mutex & VM Function Before Execution

A new variant of the WhiteSnake Stealer, a formidable malware that has been updated...

Researchers Hacked AI Assistants Using ASCII Art

Large language models (LLMs) are vulnerable to attacks, leveraging their inability to recognize prompts...

Microsoft Deprecate 1024-bit RSA Encryption Keys in Windows

Microsoft has announced an important update for Windows users worldwide in a continuous effort...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles