Hackers Use Fake Windows Update to Steal Your Data

Mad Liberator is a new cyber threat actor group observed in mid-July 2024 whose primary tactic is data exfiltration, where they steal sensitive information from victim systems. 

While not confirmed, other security sources suggest they may also use encryption alongside data theft (double extortion), and to gain access, they exploit popular remote access tools like Anydesk, potentially compromising already-connected devices.  

Then they leverage a fake update screen to distract victims while stealing data by pressuring victims into paying by threatening to publish stolen information on a dedicated leak site.  

Mad Liberator’s disclosure site

AnyDesk assigns a unique ten-digit ID to each device, allowing users to initiate remote sessions by entering the ID or accepting incoming connection requests. 

Attackers can potentially brute-force these IDs or exploit user trust by impersonating legitimate entities, such as IT support, to gain unauthorized access when unsuspecting users approve incoming connections. 

Following a successful connection, the attacker deployed a malicious binary disguised as “Microsoft Windows Update” (SHA256: f4b9207ab2ea98774819892f11b412cb63f4e7fb4008ca9f9a59abc2440056fe) onto the victim’s system. 

An all-too-unremarkable Windows Update screen

This binary executed a simple function, presenting a deceptive Windows update interface to the user, effectively concealing the malware’s true intent and allowing it to bypass most antimalware detection systems. 

The attacker escalated privileges by disabling the victim’s keyboard and mouse using Anydesk, masking malicious activity behind a seemingly benign screen. 

Exploiting the compromised system, the attacker accessed and exfiltrated sensitive company data from OneDrive and a network share via Anydesk FileTransfer. 

To identify potential targets for lateral movement, they scanned the network using an advanced IP scanner, though no further compromise was attempted. 

The ransom note received by the victim

Following data exfiltration, the attacker deployed a ransomware program to generate multiple ransom notes on a shared network location, threatening data disclosure and reputational damage. 

These actions were concealed by a fake Windows update screen while the attacker maintained remote access via AnyDesk. The ransomware binary, manually initiated, persisted on the system without any scheduled re-execution mechanism. 

According to Sophos, the attack exploited user trust in routine AnyDesk requests, emphasizing the need for continuous staff training on recognizing and responding to social engineering tactics. 

Implementing AnyDesk Access Control Lists to restrict connections to specific devices significantly mitigates unauthorized access risk. Organizations should establish clear policies for IT-initiated remote sessions and enforce them through regular communication and training. 

Mad Liberator’s emergence highlights the persistent threat of ransomware groups employing sophisticated social engineering tactics. While the group’s longevity remains uncertain, its exploitation of remote access tools underscores the ongoing challenge of balancing security and usability in modern IT environments. 

Organizations must rigorously assess security recommendations for remote access applications, implementing and documenting risk mitigation strategies to protect against these evolving threats. 

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here