Threat Research

Silent Push Monitors Threat Actor Targeting UK Banks in Ongoing AnyDesk Social Engineering Scheme

Securonix

Threat analysts are tracking a campaign that distributes a counterfeit AnyDesk remote access tool via fake websites and social engineering to steal data and funds from Windows and macOS users. The operation targets UK banks and other brands, with malicious domains hosted from Russian IPs, analyzed through Silent Push Web Scanner. #AnyDesk #SilentPush

Keypoints

  • Campaign uses fake websites and social engineering to deliver a malicious AnyDesk variant to Windows and macOS.
  • Targets include major UK banks (HSBC, NatWest, Lloyds, Santander, Virgin Money) and brands such as Avast, Ledger, and Wise.
  • Malicious AnyDesk version provides remote access, enabling data theft and financial fraud.
  • Threat actors employ phishing to trick users into downloading the malware.
  • Malicious domains are hosted on Russian endpoints (IP addresses 91.215.85.79 and 193.143.1.14).
  • Silent Push Web Scanner is used to map phishing infrastructure and create a behavioral fingerprint for the campaign.
  • The operation is associated with Russian ASNs AS198953 and AS200593 and appears ongoing with new domains registered weekly.

MITRE Techniques

  • [T1566] Phishing – The threat actors use spoofed websites and phishing tactics to trick users into downloading malicious software. “Threat actors use spoofed websites and phishing tactics to trick users into downloading malicious software.”
  • [T1219] Remote Access Software – Malicious version of AnyDesk is used to gain remote control of victims’ machines. “Malicious version of AnyDesk is used to gain remote control of victims’ machines.”
  • [T1040] Data Theft – Once the malware is installed, attackers can steal sensitive data from the victim’s machine. “Once the malware is installed, attackers can steal sensitive data from the victim’s machine.”
  • [T1003] Credential Dumping – Attackers may access victims’ bank accounts and other sensitive information. “Attackers may access victims’ bank accounts and other sensitive information.”

Indicators of Compromise

  • [IP] – Hosting malicious domains infrastructure – 91.215.85.79, 193.143.1.14
  • [Domain] – Impersonation domains used in phishing – anz-help[.]com, anz-livechatsupport[.]com
  • [Domain] – Additional brand-focused domains – ledger-webapp[.]com, natwestonlinesupport[.]com
  • [File name] – Executables associated with the campaign – AnyDesk.exe, WinDesk.Client.exe

Read more: https://www.silentpush.com/blog/anydesk/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint