Hackers use AnyDesk in safe mode to launch attacks: Report

Hackers use AnyDesk in safe mode to launch attacks: Report

For representation only.

New Delhi, December 27

Sophos, a global leader in cybersecurity, on Monday revealed that hackers attempted to bypass security controls by using a combination of Windows Safe Mode and the AnyDesk remote administration tool.

Windows Safe Mode is an IT support method for resolving IT issues that disables most security and IT administration tools, while AnyDesk provides continuous remote access.

"Sophos discovered that the AvosLocker attackers installed AnyDesk so it works in Safe Mode, tried to disable the components of security solutions that run in Safe Mode, and then ran the ransomware in Safe Mode. This creates a scenario where the attackers have full remote control over every machine they've set up with AnyDesk, while the target organization is likely locked out of remote access to those computers. Sophos has never seen some of these components used with ransomware, and certainly not together," Peter Mackenzie, director of incident response at Sophos, said in a statement.

AvosLocker is a relatively new ransomware-as-a service that first appeared in late June 2021 and is growing in popularity, according to Sophos. The Sophos Rapid Response team has so far seen AvosLocker attacks in the Americas, Middle East and Asia-Pacific, targeting Windows and Linux systems.

Sophos researchers investigating the ransomware deployment found that the main sequence starts with attackers using PDQ Deploy to run and execute a batch script called "love.bat," "update.bat," or "lock.bat" on targeted machines. The script issues and implements a series of consecutive commands that prepare the machines for the release of the ransomware and then reboots into Safe Mode.

The command sequence takes approximately five seconds to execute and includes disabling Windows update services and Windows Defender and then attempting to disable the components of commercial security software solutions that can run in Safe Mode.

Installing the legitimate remote administration tool AnyDesk and setting it to run in Safe Mode while connected to the network, ensuring continued command and control by the attacker and finally setting up a new account with auto login details and then connecting to the target's domain controller to remotely access and run the ransomware executable, called update.exe "The techniques used by AvosLocker are simple, but very clever. They ensure that the ransomware has the best chance of running in Safe Mode and allow the attackers to retain remote access to the machines throughout the attack," Mackenzie added.

—     IANS

Tribune Shorts


Top Stories

SC upholds 27 pc OBC reservation in NEET all-India quota

Reservation not at odds with merit, says SC as it upholds 27 pc OBC quota in NEET

Top court says challenge to the validity of criteria for det...

Daughters to inherit fathers’ self acquired, inherited properties, to get preference over others: SC

Daughters to inherit fathers’ self acquired, inherited properties, to get preference over others: SC

Top court bench was dealing with the legal issue concerning ...

Covid deaths in third wave majorly lower than second due to high vaccine uptake

Covid deaths in third wave majorly lower than second due to high vaccine uptake

Bed occupancy in Delhi stable despite rise in new and active...

Masks not recommended for children aged 5 and under: New Covid guide on children

Masks not recommended for children aged 5 and under: New Covid guide on children

Issuing antimicrobial use guide, health ministry says Covid-...

Congress seeks Election Commission intervention over ED raids against Punjab CM Channi’s relative

Congress seeks Election Commission intervention over ED raids against Punjab CM Channi’s relative

Timing of raids is questionable as they have come crucially ...

Cities

View All