We typically see ransomware attacks deployed through exploitation, unwanted malicious e-mails (spam) or malicious Microsoft Office documents. Anydesk software to distribute Babuk ransomware Anydesk is a remote control tool that allows users to access remote computers and other devices running hosted applications.
Babuk Ransomware has been very active lately. Its encryption tactics are not much different from other ransomware families. Over time, ransomware releases new versions and improves its attack mechanisms to target new victims.
Figure 1. Primary vector of infection
When the user tries to download the Anydesk software from an unknown suspicious link, a fake website appears which allows the Anydesk software to be downloaded. This fake site looks like the original Anydesk site. When the user clicks to download Anydesk software, ransomware is downloaded even when attached to Anydesk software in the form of a self-rescue archive (in this case, it is without configuration files). She does this for evasion purposes.
For example, if we are looking for Anydesk in Microsoft or Bing, we will get the following result. The first site is not related to the official Anydesk app, and after clicking on the setelog site, ads.htm redirects to a malicious site that downloads ransomware.
![](https://blogs.quickheal.com/wp-content/uploads/2021/11/Picture2-1.png)
Figure 2. Anydesk application search
Similarly, we found one more suspicious link for the Anydesk app, mentioned below.
website address:
https[:]// Anydesk1[.]websiteseguro[.]com / downloads / windows /? _ ga = 2.165501695.1936674747.1628634255-780551265.1627305233
Download file name: Setup_Anydesk.exe
![](https://blogs.quickheal.com/wp-content/uploads/2021/11/Picture3.png)
Figure 3. After clicking on the downloaded file, an installation window will appear
We analyzed the archive we downloaded and found that it has a clean definition of Anydesk along with downloading Babuk, RAT file and REG file.
![](https://blogs.quickheal.com/wp-content/uploads/2021/11/Picture4.png)
Figure 4. Files that are in an archive
Understanding the infection process
When a user clicks on the downloaded archive, which claims to be an Anydesk software application, other files in the package are quietly dropped. The image above shows an Allakore Rat client named bthudtaskt.exe, a Babuk download named mdnsFULLHD.exe and one registry file named Anydesk. Reg crashed in the executable folder without user interaction. The Clean Anydesk app is on the desktop, and it is installed. All files downloaded in the boot folder are executed using PowerShell and run in the background.
Anydesk.Reg:
Anydesk. A reg file disables user account control by setting the EnableLUA value to 0. It also disables Windows Defender by setting the DisableAntiSpyware value to 1. Malware also disables real-time protection by setting values to 1.
Allakore RAT Client:
AllaKore Rat is a simple open source remote access tool written in Delphi and has a very high resemblance to the code found in GitHub.
Babuk Downloader launches Allakore Rat, and it executes TCP requests, as shown below.
Download Babuk:
The ‘mdnsFULLHD.exe’ file is a PE32 executable for MS Windows and consists of a Delphi compiler. It’s huge (~ 12MB) because it has most of the code to compromise protection. It launches the Allkore Rat ùsing PowerShell cmdlet Set-preference, makes TCP requests as shown in the image above.
It adds the following exclusion paths for Windows Defender modules through the PowerShell Set-MpPreference cmdlet to hide all malware from Windows Defender.
for example:
cmd.exe / c PowerShell -Command Add-MpPreference -ExclusionPath “C: Users XXX Contacts”
cmd.exe / c PowerShell -Command Add-MpPreference -ExclusionPath “C: Users XXX Links” etc.
The above are not included by running cmd.exe. The malware also does not include the drives below.
It has a list of AVs, as shown below, and it checks if any antivirus product is installed on the system.
If any antivirus processes are running in the system, the following prompt appears asking the user to intervene and uninstall the product. If the user clicks on the next button, the software removal control panel opens, and in the background the malware checks if it has been removed.
The malware disables the task manager and undermines all Windows Defender modules.
Further digging in the file revealed that malicious software sent an HTTP request to download the bat file and .exe file. The domains used are:
“hxxp: //suporte01928492.redirectme.net/Update7/Update.bat.rar”
“hxxp: //suporte01928492.redirectme.net/Update7/Update.exe.rar”
The files you downloaded are saved in:
The “C: Users AppData Roaming Microsoft Windows Start Menu Programs Startup” folder. Malware creates these files and names according to the username and then executes both files quietly using PowerShell.
Created files: .exe and .bat
For example, if the username is ABC, the file name is ABC.exe and ABC.bat in the folder mentioned above.
Update.bat
- It contains the following setup, which is performed using PowerShell, which helps in avoiding the malware:
- Hide status change messages for each user
- Hide a Windows Defender message in the operating system icon
- Disable dialog request.
- Waterfall height.
Update.exe: BABUK PAYLOAD
The downloaded Update.exe file is a ransomware of Babuk. This is a file packaged in UPX, and the size is small, around 25 KB. Malware consists of C / C ++.
After execution, it runs the vssadmin.exe process to delete all Shadow Copy using the “vssadmin.exe delete shadows / all / quiet” command. It also creates “mutex” with the name “DoYouWantToHaveSexWithChuongDong” in the system.
Malware shuts down all registered processes, which prevents file encryption. It also empties the Recycle Bin by calling the SHEmptyRecycleBinA () function, and it counts folders and system drives and creates ransom notes in each folder.
![](https://blogs.quickheal.com/wp-content/uploads/2021/11/Picture12.png)
Fig. Ransom note
It encrypts all files by the extension “.doydo”. The extension may vary depending on the downloaded charger version.
![](https://blogs.quickheal.com/wp-content/uploads/2021/11/Picture13.png)
Illustration of encrypted files
Malware adds the string “Chong Dong looks like a hot dog !!” At the end the encrypted content of all the encrypted files.
After a successful attack, if the victim does not pay the ransom as required, the author of the malware publishes the encrypted data or sells it in underground forums.
Summary:
This use case is not limited to a specific threat player. However, we believe that this type of infection affects a wide range of Anydesk users. Using tools like Anydesk or other administrative agencies, the authors of the malware can easily take management privileges of the victim’s computer and perform the malicious activity on the system.
In the end, we emphasize to the customer to be very careful when clicking on links used to download software or any link received in email, messages or WhatsApp. Always check if the site is official and secure or not.
Here are some additional guidelines that will help minimize the attack surface and possible damage to IT infrastructure.
- Avoid downloading software from P2P sites or untrusted torrents. In most cases, they contain malware. In this case, use https://Anydesk.com/en/downloads To download Anydesk software.
- Always keep your security software (antivirus, firewall, etc.) up to date to protect your computer from newer versions of malware.
- Do not download malicious / pirated software, as it could compromise the back door of malware on your computer.
- Check ‘Local users / domain’ and remove / disable unwanted users.
- Do not assign administrator privileges to users.
- Wherever possible, multi-factor authentication is enabled to ensure that all logins are legitimate.
- Do not stay logged in as an administrator unless necessary.
- Avoid browsing, opening documents, or other normal work activities while logged in as an administrator.
- While signature-based protections alone are not sufficient to detect and prevent sophisticated ransomware attacks designed to evade traditional protections, they are an essential component of a comprehensive security position.
- Respond carefully and logically to alerts generated by behavior-based detection systems and ransomware protection systems. We prefer to block / reject unknown applications detected by these systems.
- Check RDP access and disable it if not required. Otherwise, set appropriate rules to allow access only from specific and designated hosts.
- In almost all cases, attackers use PowerShell scripts to exploit the vulnerability, so disable PowerShell on the network. If you need PowerShell for internal use, try blocking the PowerShell.exe connection to public access.
- Always use a combination of online and offline backup of all your files.
How fast healing protects its users:
Quick Heal products are equipped with multi-layered detection technologies such as IDS / IPS, EDR, DNA scanning, email scanning, NGAV, Internet protection and patent detection against ransomware. This multi-layered security approach helps us protect our customers from Babuk Ransomware and threats Others, known and unknown.
Indicators of compromise
Anydesk Innosetup files:
- a64beabdb0c9ae6b5dca97b64bbd0358
- d7751f57dca53de35be58c45e623ba54
- b70fb92fadc90efca375850ed503af4d
- 225fcb613c1796a3f27a2b71aba77dc4
- 23c9916a932d3c3b03d9ebee5c2bd6eb
- d443a25c6a4f9c553724da404676dee4
- a0b78a347b3e8b1b17a3db6dda4079e3
- d0af75fc8c88a51b044dad9bfa2cbd17
- 33dd883776eda150f4bdfebe97f00790
- ea34fea96cbbc22091aab8c6a4225326
- 5763a24e3927c6053bb216b09d281c13
Domains:
- myftp.biz
- sytes.net
- redirectme.net
- sytes.net
- serveirc.com
- websiteseguro.com/downloads/windows/?_ga=2.165501695.1936674747.1628634255-780551265.1627305233
Download Babuk:
- 4935463e3f1f0e498f5928d579405725
- 4e376b65f35727c956782874d2777549
- 64c97cda282fdf8f5906f98d8b5e83d0
- 85deb376e4c3559ce010c8e9a4a6595c
- a5d17bf427f8630e207564b3888af127
- ad4461b7b14faa0dc2b77dbd95ab4330
- aeef6cefcf78c8990a09eee89d831c7f
- db4572ff504436ffb079ef5858176deb
- Ead98682c4b5da91fa6380f1858cf8c4
Allakore Rat Customer:
- 1486cbb9b4ff1c5aceb67949eefa8cda
- 1bcbc44772aba8c5dd27b964e555a490
- 207ffd69134a589bbb5e24949664234a
- 2719bd7ab3de7b683041cd7c30f1041d
- 2f860f69a4090e9f6bf0833dc322ff77
- 304275544920ab64fc3d17e2c1a30fd7
- 3e45570f7b33f0f4c24bcc7b24b31d85
- 44c696374426167febbc290b8cd1b300
- 45d7c902614f094a846dea70b31bb846
- 4fc57386bfc22265a507adb818ef163e
- 65f7a1e438a33ec75adbc599d2362706
- 83020fda9cd8bc429a4141284ba41b21
- c4a047327be1a3a481083cecbcc1c54d
- d387a74efbb033c1d327a5e1c4a9e6ce
- e5313dd64ce118e49e1dfd461af26835
- F555a28a88f91ec639e5d86bc4c1c3c9
Babok luggage:
- 0099963e7285aeafc09e4214a45a6a210253d514cbd0d4b0c3997647a0afe879
- 028facff67136de55fe200177a190da625c8e1713b4e7d95bf5fc5412a5afffc
- 0294114d5f411b6c47eb255d4ed6865df99d1c5252f4f585aabf44e6cbacaa59
- 02e9883501635da9b501e715bb827a0b9d0c265991f1263f073eb6c5d9b335c3
- 03110baa5aad9d01610293f2b8cd21b44cc7efa0a465e677d6b3f92510a4b1d7
- 0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f
- 12c561ac827c3f79afff026b0b1d3ddec7c4b591946e2b794a4d00c423b1c8f8
- 15656e1825383c4749fadcc46f9825df6262ca2f1f98d895d64c840febe3d9d3
- 18e282e6806903ff00a78b91f6d0ad1bc3aae4b4846d6a5705c036a88138605f
- 1ab45a508da655ef755ad4394f869c664f664b3ac111875704a583e9485f2238
- 1d40f42fa328a9a6192d4fa8c6e5ce6f813ea9132774784521713b202d772994
- 1deb1efad2c469198aabbb618285e2229052273cf654ee5925c2540ded224402
- 1e24560100d010c27cc19c59f9fe1531e4286ecb21fe53763165f30c5f58dc90
- 63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85