Sophos X-Ops Incident Response teams have been studying the tactics employed by Mad Liberator, a relatively newly emerged ransomware threat actor that initially surfaced in mid-July 2024.
This article explores the tactics employed by the group, including their reliance on the widely used remote-access tool, AnyDesk.
We’ll document the attention-grabbing social engineering tactics employed by this group, providing guidance on how to avoid becoming a victim and, for investigators, uncovering potential exploitation methods.
While acknowledging the legitimacy of AnyDesk, earlier concerns suggest that malicious actors are exploiting its capabilities in this particular instance? Attackers exploit this utility as part of the methodology outlined below, but any remote access program could leverage their capabilities. Notably, SophosLabs has implemented a detection, designated as Troj/FakeUpd-Ok, to identify and address the specific binary in question.
To date, observations by Sophos X-Ops suggest that Mad Liberator’s primary focus is on information exfiltration; in our professional experience, we have yet to encounter a single instance of encryptable data linked to Mad Liberator’s activities. The advisory information suggests that this malicious entity employs encryption tactics on occasion, and also pursues a strategy of double extortion by initially stealing data and subsequently encrypting the victim’s systems, threatening to release the pilfered information unless a decryption payment is made.
Characterized by ransomware operators who conduct information exfiltration, the notorious Mad Liberator group has established a leak website to publicly disclose stolen data, thereby intensifying pressure on victims to comply with their demands for payment. The location asserts that the data may be accessed at no expense.
The Mad Liberator appears to utilize social engineering tactics to gain unauthorized access to environments, targeting individuals utilizing remote access tools installed on end points and servers. AnyDesk, a prime instance, is widely employed by IT teams to manage their environments, particularly when collaborating with remote clients or devices.
AnyDesk operates by assigning a unique identifier, typically a ten-digit code, to each device it’s installed on. Upon installation on a machine, a user can either initiate a remote connection to control another device by entering the ID or invite another user to remotely access and manage their own machine through a secure session.
It remains unclear whether the attacker specifically targets an AnyDesk ID at this stage of the investigation. While in principle it’s theoretically possible to cycle through all 10 billion potential addresses until someone accepts a connection request, the sheer scale of these numbers makes such an approach seem remarkably inefficient. Upon investigation by the Incident Response team, it was found that there were no prior interactions or contacts between the suspected Mad Liberator attacker and the victim before the victim unexpectedly received an unsolicited AnyDesk connection request. The anonymous consumer lacked any discernible reputation or public visibility among the workforce, leaving no obvious reason for them to be singularly motivated.
Upon receiving an AnyDesk connection request, the user is presented with the popup depicted in Figure 3. The consumer must provide explicit authorization prior to the establishment of a connection being definitively confirmed.
When dealing with a particularly complex incident involving remote access software, our incident response team encountered an individual who was well aware that AnyDesk, a popular remote desktop solution, had been adopted by their organization’s IT department. Subsequently, they incorrectly assumed that the incoming connection request was merely another routine occurrence of the IT department conducting maintenance, and thus accepted it without further inquiry.
Upon establishing the connection, the attacker swiftly transmitted a malicious binary to the compromised system, successfully executing it. Our investigation reveals that the file in question is dubbed “Microsoft Windows Update” and bears the distinctive SHA256 hash of.
f4b9207ab2ea98774819892f11b412cb63f4e7fb4008ca9f9a59abc2440056fe
This binary featured a straightforward program that replicated a Windows Replace splash screen in a simplistic manner. The on-screen display appeared to animate, convincingly mimicking system updates, as demonstrated in Figure 4.
The programme failed to execute certain operations, thereby rendering it difficult for the majority of antimalware software to immediately identify it as malicious. Sophos has created a detection (Troj/FakeUpd-K) specifically designed to target this binary, allowing users to monitor its evolution.
To conceal the deception from detection and termination, the assailant implemented a further measure. As a precautionary measure, the attacker exploited a feature within AnyDesk that allowed them to seize control of the user’s keyboard and mouse input by pressing the “Esc” key, effectively rendering it impossible for the user to terminate the program or take any further action.
As the victim was physically unable to access their keyboard, they remained oblivious to the malicious activity unfolding in the background – an operation so routine-looking to any Windows user that it flew under the radar of suspicion, even if they had harbored doubts about what was transpiring.
The attacker gained access to the victim’s OneDrive account, which was linked to the compromised machine as well as data stored on a central server and accessible via a mapped network share. Using AnyDesk’s FileTransfer facility, the attacker stole and exfiltrated sensitive company information. Subsequently, they employed Superior IP Scanner to identify other devices within the same subnet that could be exploited. They failed to migrate to alternative devices.
As soon as the stolen data was under their control, the attacker executed another program that generated numerous ransom demands. The ransomware demands were created in various locations on a shared community directory, rather than on the victim’s machine itself. These messages claimed sensitive data had been compromised and provided instructions on how to make payment to prevent the leakage of this stolen information. Techniques akin to these may be all too familiar to readers of our in-depth examination into the tactics employed by ransomware groups.
The fake Windows Update display concealed the attacker’s activities from view on the victim’s screen. For nearly four hours, the assault persisted until the perpetrator concluded the simulated takeover display and closed the Anydesk session, restoring control of the machine to its rightful owner. The manual trigger was initiated by the attacker, with no automated mechanism to re-execute the binary upon departure of the threat actor; the file subsequently persisted on the compromised system without further activity.
This straightforward attack exploited the victim’s assumption that the AnyDesk request was a normal occurrence, thereby gaining their trust. The investigation suggests that the attack did not involve additional social engineering tactics, with no email outreach or phishing attempts of any kind. As this underscores, sustained employee training is crucial, implying that companies must establish a clear policy governing IT department communication and remote work scheduling.
Following consumer education, we strongly recommend that directors implement AnyDesk’s Entry Management Lists to permit secure connections only from specific devices, thereby significantly reducing the risk of such an attack.
Given the numerous suggestions already available out there,
Procedural notes for investigators:
The following procedures should be followed when observing the conclusion of a case:
1. Ensure that all evidence has been collected and documented.
2. Review all witness statements and physical evidence to ensure they align with the conclusion drawn.
3. Verify that all leads have been pursued and exhausted before drawing a final conclusion.
It is crucial to maintain objectivity throughout the investigation, avoiding any biases or preconceptions that could influence the outcome.
Ransomware syndicates experience recurring periods of growth and decline, and Mad Liberator’s emergence may signal a significant new player in the market or merely another fleeting entity. Despite the notable social-engineering tactics employed in this particular case, they remain unremarkable. As cyber threats continue to evolve, attackers relentlessly seek to devise and leverage diverse tactics to breach both the human factor and technical security measures in place.
Implementing instruments within an surroundings can be a challenging task in balancing safety against usability, especially when these tools facilitate remote access for those responsible for managing business-critical systems. Nevertheless, we consistently recommend that before deploying functions across a network, particularly those enabling remote access to devices, careful consideration is given to the security guidelines provided by the vendor. When security recommendations are not implemented, thorough documentation is necessary within your threat management process, ensuring regular review and enabling the implementation of alternative mitigations to align with your organization’s risk tolerance.
When investigating an incident where AnyDesk may have been exploited by attackers, seek out relevant session logs and connection data stored in the following locations:
- C:ProgramDataAnyDeskconnection_trace.txt
- C:ProgramDataAnyDeskad_svc.hint
- C:UserspercentAppDataRoamingAnyDeskad.hint
The connection_trace.txt file primarily contains the Tackle ID of recent connections, rendering it relatively useless on its own. However, it can at least enable you to narrow down the problematic ID.
There exist four feasible states for every link:
- Connection to end-user failed due to rejection.
- Upon successful authentication, the consumer acknowledged receipt of the connection request.
- Password – the passcode entered by the remote system to authenticate entry.
- The system remotely verifies ‘Login Robotically’ option.
The ad_svc.hint and advert.hint data contain a vast array of finely detailed components. Files may be opened and edited using a text editor, similar to Notepad, which can accommodate various circumstances and also store connection details. The ad_svc.hint file specifically contains information regarding remote connection source IP addresses.
The advert.hint file stores logs related to file transfer activities, as well as instances where user input is temporarily disabled?
Although log entries may indicate the affected folder and quantify the amount of data involved in an exfiltration incident, they do not necessarily provide detailed information about specific file names.
With Sophos Intercept X installed, collecting this data is streamlined. The OSquery can be leveraged seamlessly within StayUncovered from Sophos Central’s intuitive dashboard.
SELECT DATE_FORMAT(CAST(SUBSTRING(grep.line, LOCATE('data', grep.line) + 5, 19) AS DATETIME), '%Y-%m-%d %H:%i:%s') AS Datetime, grep.path, CASE WHEN grep.sample = 'Logged in from' THEN 'Login' WHEN grep.sample = 'Making ready information' THEN 'File Switch from this Host' WHEN grep.sample = 'Accepting from' THEN 'Accepted Connection Request' WHEN grep.sample = 'Incoming session request:' THEN 'Incoming Session Request' WHEN grep.sample = 'Distant OS:' THEN 'Distant OS' WHEN grep.sample = 'Disabling consumer enter.' THEN 'Disable Mouse and Keyboard' WHEN grep.sample = 'Obtain began' THEN 'File Switch to this Host' WHEN grep.sample = 'Obtained a sysinfo request.' THEN 'System Data Request' WHEN grep.sample = 'Authenticated with everlasting token' THEN 'Authenticated with Token' WHEN grep.sample = 'Authenticated with right passphrase' THEN 'Authenticated with Password' WHEN grep.sample = 'Profile was used:' THEN 'Profile Assigned' END AS Operation, grep.line as Knowledge FROM file CROSS JOIN grep ON (grep.path = file.path) WHERE ( file.path LIKE 'C:ProgramDataAnyDeskad_svc.hint' OR file.path LIKE 'C:Users%AppDataRoamingAnyDeskad.hint' ) AND ( grep.sample IN ('Logged in from', 'Making ready information', 'Accepting from', 'Incoming session request:', 'Distant OS:', 'Disabling consumer enter.', 'Obtain began', 'Obtained a sysinfo request.', 'Authenticated with everlasting token', 'Authenticated with right passphrase', 'Profile was used:') ) ORDER BY Datetime DESC The question’s clarity facilitates categorizing information into a practical workspace, as illustrated in Figure 10.
This collaborative effort was undertaken by Harshal Gosalia, Ollie Jones, and Andy French.
