Listen to this Post

Introduction:
A sophisticated cyber campaign uncovered by Microsoft leverages WhatsApp as an initial access vector to deliver malicious VBScript (VBS) files. This attack is notable for its advanced evasion techniques, including the renaming of native Windows executables to masquerade as legitimate system processes and the use of widely trusted cloud services to host payloads, culminating in the stealthy installation of the AnyDesk remote administration tool for persistent access.
Learning Objectives:
- Identify the tactics, techniques, and procedures (TTPs) used in the campaign, including the abuse of Windows tools and cloud infrastructure.
- Analyze the attack chain from initial delivery via WhatsApp to the establishment of persistence using remote desktop tools.
- Implement detection and mitigation strategies using Windows commands, PowerShell, and security configurations to defend against similar Living Off the Land (LotL) attacks.
You Should Know:
- Analyzing the Attack Chain: From WhatsApp to AnyDesk
The campaign begins with a threat actor sending a malicious VBS file via WhatsApp messages, often disguised as a document or invoice. Upon execution, the script performs a series of actions designed to bypass standard security controls. The core evasion technique involves renaming legitimate Windows binaries. For instance, the attacker might rename `cmd.exe` or `powershell.exe` to a benign-sounding name like `rename.exe` or `helper.exe` to avoid detection by process monitoring tools that look for specific executable names.
To analyze this behavior, security professionals can use Sysmon (System Monitor) or PowerShell to track process creation events. The following PowerShell command can help identify renamed instances of common executables:
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=1} | Where-Object { $<em>.Message -match 'Image.rename.exe' -or $</em>.Message -match 'OriginalFileName.cmd.exe' }
This command filters Sysmon event ID 1 (Process Creation) for any process named “rename.exe” that originates from the legitimate `cmd.exe` binary, indicating a renamed and potentially malicious execution.
2. Cloud Payload Retrieval and Obfuscation
A key component of this campaign is the use of legitimate cloud services such as Google Drive, Dropbox, or Discord CDN to host the secondary payloads. The initial VBS script contains embedded URLs pointing to these services. By using trusted domains, the malicious traffic blends in with normal network activity, evading traditional firewall and proxy filters that allowlist these services.
The VBS script typically uses `MSXML2.XMLHTTP` or `WinHttp.WinHttpRequest` objects to download the next stage. Analysts can simulate this retrieval for analysis using `curl` on Linux or `Invoke-WebRequest` on Windows in a sandboxed environment:
Linux - Simulating payload retrieval from a cloud URL curl -k -L -O "https://[cloud-storage-url]/malicious_payload.exe" file malicious_payload.exe
For network defense, monitoring egress traffic for unexpected file extensions (like .vbs, .ps1, or .exe) being downloaded from cloud storage providers, even if the domain is trusted, is crucial. A Suricata or Zeek rule can be tuned to alert on HTTP POST requests to cloud storage APIs followed by executable file transfers.
3. Stealthy Persistence via AnyDesk Installation
Once the secondary payload is executed, it proceeds to download and install the legitimate AnyDesk remote desktop software. However, the installation is not performed interactively. Instead, the attacker uses command-line arguments to silently install AnyDesk, configure it for unattended access, and set a custom password. This transforms a legitimate administrative tool into a persistent backdoor.
The typical silent installation command looks like this:
AnyDesk.exe --install "C:\ProgramData\AnyDesk" --start-with-win --silent --create-shortcuts --remove-other-installations
Following installation, the attacker configures the connection password using the `anydesk.exe –set-password` command. To detect this, defenders can monitor for the installation of remote desktop tools via Windows Event Logs. The following PowerShell command can be used to query the Security event log for service installation events (Event ID 4697) related to AnyDesk:
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4697} | Where-Object { $_.Message -match 'AnyDesk' }
4. Mitigation and Hardening Against LotL Techniques
Defending against such campaigns requires a multi-layered approach focused on restricting scripting engines and application control.
- Restrict VBScript Execution: In Windows 10 and 11, VBScript can be disabled or restricted via Group Policy. Navigate to `Computer Configuration -> Administrative Templates -> Windows Components -> Windows Script Host` and set “Turn off Windows Script Host” to Enabled. This prevents `.vbs` files from executing unless explicitly allowed.
- Application Control (AppLocker or WDAC): Implement AppLocker or Windows Defender Application Control (WDAC) to block execution from directories where users have write permissions, such as `%AppData%` or
%Temp%. A basic AppLocker rule can block all executables, scripts, and installers from running from these user-writable paths, preventing the dropped payloads from executing. - Network Segmentation: Isolate systems that require remote desktop tools like AnyDesk to specific management VLANs. Use firewall rules to restrict outbound connections from workstations to public cloud storage domains unless explicitly required for business operations.
5. Detection via Command Line Auditing
Enabling command-line auditing in Windows provides visibility into the arguments passed to processes, which is critical for detecting silent installations and renamed binaries. Using Group Policy, enable “Include command line in process creation events” under Computer Configuration -> Administrative Templates -> System -> Audit Process Creation. Once enabled, the following PowerShell query can reveal suspicious AnyDesk installations:
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688} | Where-Object { $<em>.Message -match 'anydesk.exe' -and ($</em>.Message -match '--install' -or $_.Message -match '--set-password') }
What Undercode Say:
- Blending In is the New Breach: The attack’s success relies heavily on using legitimate tools (AnyDesk, renamed Windows binaries, cloud storage). This underscores that security strategies must move beyond simple allowlisting and focus on behavioral analysis.
- Living Off the Land (LotL) Evolution: By renaming native Windows tools, attackers bypass basic signature-based detection. Defenders must leverage command-line auditing and process genealogy (parent-child relationships) to spot anomalies.
- The Cloud as a Threat Vector: The trust placed in cloud storage providers is being weaponized. Organizations need to implement outbound content inspection for cloud services, treating them as potential entry points for malware rather than implicitly trusted domains.
- User Awareness is the First Layer: The initial vector is social engineering via WhatsApp. Continuous security awareness training emphasizing the risks of opening unsolicited attachments, even from seemingly trusted contacts (who may be compromised), remains a critical control.
Prediction:
This campaign signals a broader trend where threat actors will increasingly use legitimate remote access tools (RATs) like AnyDesk, TeamViewer, and Splashtop as post-exploitation backdoors, making it harder for incident responders to distinguish between authorized IT administration and malicious activity. Future iterations will likely incorporate AI-generated social engineering messages within messaging platforms to improve the success rate of initial delivery, further blurring the line between legitimate communication and targeted attacks.
▶️ Related Video (82% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Hackermohitkumar Microsoft – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


