AnyDesk is another legitimate Remote Management and Monitoring tool also abused as a secondary C2 by threat actors, including at least two publicly-reported intrusions linked to the BumbleBee loader malware which I covered at the end of January:
AnyDesk also suffered a pretty serious breach a few weeks ago resulting in the revocation of their code-signing certificate, so maybe treat AnyDesk binaries with a bit more suspicion now.
rule PUP_RMM_AnyDesk_exe {
meta:
description = "Matches AnyDesk remote management tool, often abused for unauthorised access."
last_modified = "2024-03-03"
author = "@petermstewart"
DaysofYara = "63/100"
sha256 = "5beab9f13976d174825f9caeedd64a611e988c69f76e63465ed10c014de4392a"
sha256 = "7a719cd40db3cf7ed1e4b0d72711d5eca5014c507bba029b372ade8ca3682d70"
strings:
$pdb = "C:\\Buildbot\\ad-windows-32\\build\\release\\app-32\\win_loader\\AnyDesk.pdb"
$a1 = "my.anydesk.com"
$a2 = "AnyDesk Software GmbH" wide
condition:
uint16(0)==0x5a4d and
all of them
}
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
Cyber Poking 
One thought on “#100DaysofYARA 2024 – Day 63 – AnyDesk”