APG Threat Analysis of Angry IP Scanner and AnyDesk for 2024
Click for details
The APG predicts that threat actors will likely continue to use Angry IP Scanner and abuse AnyDesk for reconnaissance, discovery, and persistence over the next 12 months.
We base this assessment on internal Blackpoint observed attacks, as well as external reporting related to the use of the abuse of two legitimate tools.
The U.S. CISA detailed Akira ransomware operators’ use of AnyDesk to establish command and control channels and use of the tool for remote file transfer. The group has also been observed using the tool to obtain remote access to victim systems (5).
Additionally, in January 2023, the U.S. CISA released an advisory warning of threat actors’ use of legitimate RMM tools, including AnyDesk. This included the identification of a malicious campaign involving the use of legitimate RMM software; specifically sending phishing emails that led to the download of the legitimate software, which the actors used in a refund scam to steal money from victims’ bank accounts (14).
In 2020, the U.S. CISA reported that Iranian-linked threat groups had been observed using the Angry IP Scanner to detect remote system connected to compromised networks (15). Threat actors can then move laterally to the discovered remote devices to collect sensitive information.
Similar to RMM software abuse, other legitimate tools like Angry IP Scanner can be abuse for malicious purposes. Security researchers with Zscaler reported a Google malvertising campaign that used multiple look-alike domains and leveraged Google Ads to push the domains to the top of the search engine results (16). The group registered 45 domains with sites impersonating legitimate software, including Angry IP Scanner.
This incident highlights the way threat actors abuse legitimate tools for conducting reconnaissance and discovery techniques, as well as lures for initial access.