Trend Micro recently discovered a new ransomware (Detected as RANSOM_BLACKHEART.THDBCAH), which drops and executes the legitimate tool known as AnyDesk alongside its malicious payload. This isn’t the first time that a malware abused a similar tool. TeamViewer, a tool with more than 200 million users, was abused as by a previous ransomware that used the victim’s connections as a distribution method.
In this instance, however, RANSOM_BLACKHEART bundles both the legitimate program and the malware together instead of using AnyDesk for propagation.
Although the specifics of how RANSOM_BLACKHEART enters the system remains unknown, we do know that users can unknowingly download the ransomware when they visit malicious sites.
Once downloaded, RANSOM_BLACKHEART drops and executes two files:
- %User Temp%\ANYDESK.exe
- %User Temp%\BLACKROUTER.exe
Trend Micro believe bundling AnyDesk with the ransomware might be an evasion tactic. Once RANSOM_BLACKHEART is downloaded, AnyDesk will start running in the affected system’s background — masking the true purpose of the ransomware while it performs its encryption routine. Cybercriminals may be experimenting with AnyDesk as an alternative because Teamviewer’s developers have acknowledged its abuse, and have also included some anti-malware protection in some of its tools.