A new data extortion group, identified as Mad Liberator, has emerged as a significant threat to AnyDesk users, employing a deceptive tactic that involves a counterfeit Microsoft Windows update screen to facilitate data exfiltration from compromised devices. This operation, which surfaced in July, has drawn the attention of cybersecurity experts, particularly due to its unique approach to distraction during the data theft process.
Targeting AnyDesk Users
According to a report by cybersecurity firm Sophos, the modus operandi of a Mad Liberator attack begins with an unsolicited connection request to a computer utilizing the AnyDesk remote access application, a tool widely favored by IT teams for managing corporate environments. While the exact method of target selection remains unclear, one hypothesis suggests that the group may be systematically trying various AnyDesk connection IDs until a connection is accepted.
Once a connection is established, the attackers deploy a binary file disguised as a Microsoft Windows Update, which presents a phony Windows Update splash screen to the user. This clever ruse serves a singular purpose: to divert the victim’s attention while the attackers leverage AnyDesk’s File Transfer tool to siphon data from OneDrive accounts, network shares, and local storage.
During this simulated update process, the victim’s keyboard is rendered inactive, effectively preventing any interruption of the data exfiltration. Observations from Sophos indicate that these attacks typically span around four hours, during which Mad Liberator refrains from encrypting any data post-exfiltration. Nevertheless, the group ensures that ransom notes are dropped in shared network directories, maximizing visibility within corporate settings.
Interestingly, Sophos has reported that there is no evidence of prior interaction between Mad Liberator and their targets before the AnyDesk connection request, nor have any phishing attempts been recorded to support the attack methodology. The extortion tactics employed by Mad Liberator are particularly striking; the group claims on their darknet site that they first reach out to compromised companies, offering to assist in rectifying security vulnerabilities and recovering encrypted files, contingent upon meeting their financial demands.
If a victimized organization fails to respond within 24 hours, their name is published on the extortion portal, granting them a seven-day window to engage with the threat actors. Should five additional days pass without a ransom payment, all stolen files are made public on the Mad Liberator website, which currently lists nine victims.