A recent phishing campaign has cleverly repurposed AnyDesk, a trusted remote access tool, into a covert backdoor for espionage activities. This operation, which has mainly targeted Russian aerospace and aviation sectors, uses seemingly legitimate invoices to bypass email filters. Once inside the system, the attackers utilize common IT software instead of custom malware, making their presence much harder to detect.
The campaign begins with an email that impersonates a Russian federal research institute, sent from a newly registered domain to add authenticity. The email carries a password-protected archive disguised as an invoice, with the password included in the email's body to avoid scanner detection. Inside, an installer appears to display a genuine invoice but actually drops files into hidden folders. These files, including a portable version of AnyDesk, are part of a sequence that establishes remote access while erasing digital traces to evade detection.
According to researchers at Seqrite, the attack employs scheduled tasks to ensure that AnyDesk and its affiliated tools restart with every login, maintaining persistence without raising alarms. The attackers use Tray Minimizer to conceal AnyDesk from the user, while the configuration files and connection settings are exfiltrated to an attacker-controlled address. This sophisticated tactic, combined with the removal of setup artifacts, obscures forensic analysis.
While the primary aim appears to be espionage, researchers have linked this method to a threat actor known as Rare Werewolf, who may also utilize these techniques for financial gain through cryptocurrency mining. Organizations in the aerospace sector and similar industries are advised to scrutinize unexpected emails, especially those from unfamiliar domains. Monitoring for unsanctioned scheduled tasks and unexpected remote access installations are critical steps in early detection. Given the use of legitimate tools, behavioral monitoring focused on suspicious task creation and data exfiltration is essential for identifying such intrusions.


