A sophisticated phishing operation is leveraging trusted remote access software, AnyDesk, to establish a long-term espionage foothold. This campaign cleverly disguises itself behind fake invoices, evading email filters and utilizing common IT tools over bespoke malware to remain undetected.
Targeting Aerospace Organizations
The phishing attacks are strategically aimed at Russian aerospace and aviation entities, employing invoice-themed lures to gain entry. Instead of deploying traditional malware, attackers configure AnyDesk for remote access and then meticulously erase their digital footprints. This stealthy approach facilitates prolonged and undetected control over compromised systems.
Intrusion Details and Methodology
Research conducted by Seqrite has mapped out the attack process, beginning with an email attachment that leads to a complete remote access setup. The sequence involves a password-protected archive that, once opened, launches a series of scripts. These scripts download additional components, including a portable version of AnyDesk, and configure it for remote access without user prompts.
To maintain control, the attackers use a combination of scheduled tasks and file deletions, ensuring AnyDesk remains operational while eliminating traces of the intrusion. This technique complicates forensic investigations, as most evidence is wiped clean.
Research Findings and Threat Actor Links
Seqrite’s report, shared with Cyber Security News, highlights the impersonation of a legitimate Russian research institute in the phishing emails, using domains that mimic official addresses. This suggests a coordinated intelligence-gathering effort, potentially linked to the threat group known as Rare Werewolf, which targets industrial sectors across Russia and neighboring countries.
Although cryptocurrency mining was not observed in this instance, the researchers note that similar campaigns by the same actor have included mining operations post-intrusion, indicating possible financial motives.
Preventive Measures and Detection Challenges
Organizations in aerospace and related fields are advised to exercise caution with unexpected invoice emails, particularly from newly registered domains. Monitoring for unauthorized scheduled tasks and unusual remote access configurations can help detect such activities early. Limiting outbound mail traffic to approved servers can also hinder data exfiltration attempts.
Due to the use of legitimate tools, traditional signature-based detection methods may be insufficient. Instead, behavioral monitoring focused on identifying suspicious task creation and data exfiltration offers a more effective defense against this type of attack.
For comprehensive threat prevention, integrating a live threat feed from multiple Security Operations Centers can enhance proactive defense and mitigate potential financial losses.
