Threat Research

Stay Calm, Gain Insight

Securonix

Sophos X-Ops analyzes Mad Liberator, a new ransomware group active since mid-July 2024, which mainly exfiltrates data using social engineering and AnyDesk remote access. The piece details the group’s methods, including a fake Windows Update screen, and provides mitigations such as user education and Anydesk access controls. #MadLiberator #AnyDesk

Keypoints

  • Mad Liberator is a new ransomware group focused on data exfiltration.
  • The group abuses legitimate software, specifically Anydesk, to gain unauthorized access to victim systems.
  • Social engineering tactics are employed to trick victims into accepting remote connection requests.
  • Once connected, attackers can exfiltrate sensitive data and create ransom notes.
  • Victims are often unaware of the attack due to the deceptive nature of the fake Windows Update screen used by attackers.
  • Recommendations for mitigation include user education and implementing Access Control Lists in Anydesk.
  • Investigators can find useful data in specific log files related to Anydesk connections.

MITRE Techniques

  • [T1566] Phishing – Deceptive tactics to trick users into accepting remote access requests. ‘Mad Liberator may use deceptive tactics to trick users into accepting remote access requests.’
  • [T1219] Remote Access Software – Utilizes Anydesk to gain remote access to victim systems. ‘Utilizes Anydesk to gain remote access to victim systems.’
  • [T1041] Data Exfiltration – Exfiltrates sensitive data from compromised systems. ‘Exfiltrates sensitive data from compromised systems.’
  • [T1486] Ransomware – Generates ransom notes to extort victims after data theft. ‘Generates ransom notes to extort victims after data theft.’
  • [T1036] Masquerading – A binary titled ‘Microsoft Windows Update’ displays a Windows Update-like screen to hide activity. ‘This binary was a very simple program that displayed a splash screen mimicking a Windows Update screen.’

Indicators of Compromise

  • [Hash] Fake Windows Update binary hash – f4b9207ab2ea98774819892f11b412cb63f4e7fb4008ca9f9a59abc2440056fe
  • [File name] Fake Windows Update binary – Microsoft Windows Update
  • [File path] Investigation artifacts – C:ProgramDataAnyDeskconnection_trace.txt, C:ProgramDataAnyDeskad_svc.trace, and C:Users%AppDataRoamingAnyDeskad.trace
  • [File name] AnyDesk trace and log files – connection_trace.txt, ad_svc.trace, ad.trace

Read more: https://news.sophos.com/en-us/2024/08/13/dont-get-mad-get-wise/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint