Skip to navigation Skip to main content Skip to footer

The Dark Side: How Threat Actors Leverage AnyDesk for Malicious Activities

16 September 2024

By Lauren Eynon

Introduction

AnyDesk is a popular remote desktop application that allows users to connect to computers and devices remotely. It offers features such as file transfer, unattended access, session recording, and robust security protocols. AnyDesk is favored for its high performance, low latency, and user-friendly interface, making it a preferred choice for IT professionals and businesses.

However, in the rapidly evolving landscape of cybersecurity, the tools designed to enhance productivity and streamline remote operations are increasingly being exploited by threat actors. AnyDesk is no different and has come under scrutiny for its dual-use potential.

Originally designed to facilitate legitimate remote access for IT support, collaboration, and telecommuting, threat actors have been known to utilise AnyDesk's capabilities to control computers, therefore gaining unauthorised access to victims' systems. By leveraging AnyDesk, malicious actors can exploit users through social engineering tactics, use it as a persistence mechanism, deploy various types of malware and exfiltrate sensitive data.

This highlights the complexities and challenges involved in securing digital environments, where software designed to enhance efficiency and connectivity can be exploited for malicious purposes. This blog explores how threat actors are utilising AnyDesk for malicious purposes, as well as the forensic artefacts that are generated in the AnyDesk logs.

MITRE

Initial access

Threat actors often rely on social engineering techniques to deceive users into granting remote access. By impersonating IT support personnel or other trusted entities, they can convince users to share their AnyDesk credentials or approve remote access requests. The ransomware group Black Basta have been observed using similar tactics by spamming targeted users with legitimate newsletter sign-up emails, causing disruption, then contacting the user by phone persuading them to download a remote access tool such as AnyDesk to resolve the issue.

Phishing also remains a prevalent method for threat actors to gain initial access. They can trick users into downloading malicious versions of AnyDesk or provide fraudulent credentials via deceptive emails or websites. Once installed, attackers gain remote access to the victim's machine.

Like any software, AnyDesk can have vulnerabilities that threat actors may exploit. Regular updates and patches are crucial to mitigate these risks. However, unpatched systems can be targeted to gain unauthorised access.

One of AnyDesk’s features is unattended access, which allows the user to set up a remote control session using a password, without the need to accept the incoming connection. If a user has set up unattended access on their machine, threat actors could potentially gain access through brute forcing user credentials or using passwords obtained elsewhere.

Execution

Once access is achieved, malware and ransomware can be deployed on the host which has been more commonly seen with ransomware families such as Sodinokibi/REvil, Netwalker, and Black Basta. The threat actor can also execute scripts to establish persistence, lateral movement, gather credentials and a connection to a C2 server.

Persistence

Unauthorised access can be achieved by threat actors through various methods, after which an installation as a service can be utilised as a persistence mechanism to create a backdoor to the network. This technique has been used by threat actor groups such as Medusa, Karakurt and Lockbit.

The below code allows the threat actor to install AnyDesk silently and set a password to gain remote access. This also creates a new user with administrator privileges and hides the new account from the Windows login screen.

	

cmd.exe /c C:\ProgramData\AnyDesk.exe --install C:\Program\AnyDesk --start-with-win --silent

cmd.exe /c echo J9kzQ2Y0qO | C:\ProgramData\anydesk.exe --set-password

net user oldadministrator "jsbehsid#Zyw4E3" /add
net localgroup Administrators oldadministrator /ADD
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" /v oldadministrator /t REG_DWORD /d 0 /f
 
cmd.exe /c C:\ProgramData\AnyDesk.exe --get-id 
	
    

Defense Evasion

Some threat actors may try to avoid raising suspicion by renaming the AnyDesk executable to something that appears less suspicious.

Deleting AnyDesk logs can also be conducted to ensure malicious connections and activities are not identified in the logs.

Credential Access

Credentials can be accessed if the threat actor has control of the user’s host in locations such as the web browser or a password manager. Scripts can also be run to collect user credentials on the host.

Discovery

Once the threat actor has remote access to the host, discovery techniques can be used to identify further information about the host and environment. These can include, but are not limited to gathering lists of valid accounts, data saved in browsers, device information, group policy and network information.

Lateral movement

AnyDesk has previously been distributed through SMB shares using Cobalt Strike to move further along on a victim network.

Command and Control

AnyDesk can be used to establish an interactive command and control channel to target systems within networks. This tactic has been observed by the ransomware group RagnarLocker which installed AnyDesk and set a password for unattended access, using a similar script as mentioned above.

Exfiltration

AnyDesk has the ability to transfer and download files which can be used for data exfiltration. Using legitimate administrative tools can allow a threat actor to remain under the radar and bypass security controls, while transferring sensitive data.

Forensic Artefacts

Once executed on the host, AnyDesk creates several files and folders that can provide important information during an investigation. This includes details about connections made, files copied or downloaded, screenshots taken using the AnyDesk feature, the operating system used, and whether user input was disabled, or privacy mode was requested. This information is crucial for investigators to determine whether any files were potentially exfiltrated via AnyDesk and to assess the duration of the threat actor's access.

The portable and installed version of AnyDesk are usually located in different directories:
Installed - C:\Program Files (x86)\AnyDesk\
Portable - C:\Users\Username\AppData\Roaming\AnyDesk

When a session is started, there are pre-made profiles which can be selected such as:

  • Default – Enable privacy mode, restart device and create TCP tunnels are disabled.
  • Screen Sharing – No permissions, just screen sharing.
  • Full Access/Unattended Access – All permissions enabled such as restart device, file manager, enable privacy mode.

Permissions can also be changed depending on the requirements of the session. The artefacts in the blog will focus on the portable version, using the default profile.

The following folders and files are created when AnyDesk is executed, within the AnyDesk folder location:

  • Cache
  • Global_cache
  • Thumbnails - Background image of the remote system stored locally
  • Chat - Conversation history between users
  • Connection_trace - Incoming and outgoing connections to AnyDesk
  • Service.conf - Certificate, private key
  • Ad.trace - This important log contains information regarding connection details, system, and application notifications. Details of file transfers, downloads, any user requests for privacy, disabling user input etc.
  • System.conf - Configuration file
  • User.conf
  • Gcapi.dll - This file is downloaded alongside once the application is open. This is part of the Google Chrome web browser used to interact with the Google Cloud API.

A Videos folder is created at C:\Users\Username\Videos\AnyDesk on both the local and remote host. If a screen capture is taken this will be saved here on the host that initiated the session, if the license used allows this feature.

A Pictures folder is created at C:\Users\Username\Pictures\AnyDesk.This is where screenshots will be saved by default if the screenshot action is used within AnyDesk. Screenshots taken will only be available to the user taking the screenshot via AnyDesk.

 

Connection_trace File

When a connection request is received, AnyDesk creates the file ‘connection_trace.txt’ that includes information about the session. This includes the date and time of the connection, how the connection was accepted or rejected as well as who sent the connection request.

AnyDesk Connection Trace Pic

 

The Ad.trace file is capable of identifying critical artefacts, including session initiation and termination timestamps, connection IP addresses, granted permissions (e.g. privacy mode, block user input), and details regarding file copy/transfer activities. While the majority of these artefacts are uniformly recorded on both the local and remote hosts, there are certain discrepancies. For instance, events like screenshots may be logged only on one host (of the user who performed the screenshot). Artefacts that can be identified during an investigation are:

Local/Victim Host:

Connections made:

  • anynet.any_socket - Logged in from [IP Address] on relay [XXX]
  • anynet.connection_mgr - Making a new connection to client [XXX]

This event can provide information about the connection between the victim and the threat actor.

AnyDesk profile selected:

  • winapp.gui.permissions_panel - Selecting Profile: _unattended_access, hasPw: N
  • winapp.gui.permissions_panel - Selecting Profile: _full_access, hasPw: N
  • winapp.gui.permissions_panel - Selecting Profile: _default, hasPw: N

This event will provide the investigator with the details of the level of permissions that the session had.

Starting video capture:

  • desk_rt.capture_component - Starting capture (video)

A video recording will be made if permitted by the AnyDesk license. Although no video was recorded during testing, the event logs indicated that a recording had occurred.
Sending a thumbnail:

  • app.backend_session - Sending a new thumbnail.

A small image of each machine connected to during an AnyDesk session. This image typically displays the wallpaper of the connected machine.

Version of AnyDesk used:

  • main - * Version 8.0.10 (release/win_8.0.10 8941b379f03505960bfba86d51b033e4f12eac4a)

The AnyDesk version may be helpful during an investigation as there have been vulnerabilities in earlier versions.

AnyDesk install status:

  • main - Install status: not installed (<4)

Operating system of the remote user:

  • main - Process started at 2024-06-11. PID XXX. OS is Windows 10 (64 bit)

Copied and pasted file:

  • clipbrd.capture - Found 1 files
  • clipbrd.capture - Relaying file offers.
  • app.ft_src_session - New session (4d9603677ecb87a3).
  • app.ctrl_clip_comp - Got a request to list files in offer 4d9603677ecb87a3.
  • app.ft_src_session - Starting to iterate files from offer 4d9603677ecb87a3.

These events show that a file has been copied and pasted from the local host, using the clipboard.
File manager download:

  • Preparing files in 'C:\Users\Username\Desktop'.
  • app.local_file_transfer - Preparation of 1 files completed (io_ok).

Files have been downloaded from the local host using the file manager feature. The logs do not show which folders were browsed to in the file manager; however, the log will show a directory could not be listed. This can indicate the remote user/threat actor has been browsing files.

  • app.readdir - Could not list directory C:\Users\Username\Documents\My Videos\*

User input disabled/enabled:

  • os_win.input_injector - Disabling user input.
  • os_win.input_injector - New input state: blocked

This prevents the user from being able to control their machine. A threat actor can request to disable user input and have full control over the host.

 

Remote/Threat Actor Host

Screen capture:

  • app.frontend_session - Enabling screen capturing

Screenshot taken:

  • desk_rt.display_component - Saving screenshot.
  • desk_rt.display_component - Saved screenshot to C:\Users\Username\Pictures\AnyDesk\anydesk00000.png

Screenshots taken using the AnyDesk feature will appear in the logs of the user who took the screenshot. Unfortunately, these details will not appear in the victim's logs, so there will be no indication of whether the threat actor performed this action.

Copied and pasted file:

  • app.ctrl_clip_comp - Got a file offer (333275618805696f).
  • app.ctrl_clip_comp - File offer accepted.
  • app.ctrl_clip_comp - Got a file list for offer 333275618805696f.
  • ole.files - Starting file paste operation.
  • ole.files - Waiting
  • app.ctrl_clip_comp - Got a file list for offer 333275618805696f.
  • ole.files - Finished file paste operation (0x00000000).

These events show that a file has been copied and pasted from the local host, using the clipboard. These events look slightly different to the logs on the victim host.

File manager in AnyDesk

  • app.session - Session features: file browser, chat.
  • app.service - Creating remote control session.

Initiating the file manager in AnyDesk for the victim/local user machine.

Files downloaded in file manager mode:

  • app.local_file_transfer - Download started (0).
  • app.local_file_transfer - Download finished.

Blocking/allowing remote input:

  • app.frontend_session - Received new permissions to block input: (enabled allowed supported)
  • app.frontend_session - Received new permissions to block input: (disabled allowed supported)

If a request has been made by the threat actor to disable/enable remote input, these events will appear in the logs.

Summary

Threat actors misusing AnyDesk software pose significant risks to an organisation's network, potentially leading to data breaches, unauthorised access, and other security incidents. However, these risks can be effectively mitigated through a combination of proactive measures and robust policies. Implementing detections to alert when AnyDesk is used can facilitate early incident discovery and response. Blocking AnyDesk and other remote access software unless explicitly approved ensures that only legitimate, approved tools are in use. Additionally, regularly reviewing software usage and enforcing strict policies around the use of approved software can help maintain a secure environment. By taking these steps, organisations can significantly reduce the threat landscape associated with remote access tools like AnyDesk.

In the event of an incident involving AnyDesk, several forensic artifacts can aid in the investigation. A thorough review of these artifacts, particularly the ad.trace log file, is essential, as it contains valuable information. The identification of network data such as IP addresses, can be shared with local law enforcements to assist with takedowns. It is important to note that data recording may vary or be absent on specific hosts. Crucially, any file transfers will be documented on both the local and remote hosts.

If your organisation has suffered an incident and requires a forensic investigation, NCC Group can provide support through our DFIR team. Further details can be found on our website https://www.nccgroup.com/uk/cyber-incident-response/.