September 22, 2023

Doctor Web is reporting on the growing number of fraud cases involving remote desktop access applications. RustDesk is the most popular among attackers.

With the recent leaks of database fragments from a number of banks, fraudsters now have access to customers' personal information. The criminals use this information to gain the trust of their victims. Pretending to be bank support staff, the criminals report that suspicious activity has been detected on the victim's account, which could result in a loss of money. To prevent theft, the victim allegedly needs to install a “security” application on their device. The attackers suggest that they visit the app store and search for apps like “Sberbank support”, “VTB support” and the like.

Source: nakopi-deneg.ru

In fact, until recently, the top Google Play results for such search phrases were applications such as AweSun Remote Desktop, RustDesk Remote Desktop, and AnyDesk Remote Desktop. This situation is due to the fact that the application ranking system in Google Play takes into account the application that users click on after entering their search query. Thus, the more people search for an application using the keywords “support bank_name” and mistakenly click the link for a remote administration application, the more Google Play will recommend such an application to users.

It should be noted that in and of themselves, remote administration utilities are not malicious. They become a problem when they are used to perform illegal actions.

After the app is installed, the scammers ask the victim for a unique identifier and then take full control of the device. Access to the device allows them to make payments and transfers from the victim's account. Unfortunately for the victim, it will be impossible to prove the hack and revoke the payment order in such a situation, because from the bank's point of view, it was the customer's device that interacted with the payment system.

Google has now removed the RustDesk application from the Google Play store. As a result, the attackers have moved their activities to their own network resources and are now encouraging victims to visit sites such as hххps://помощникбанков[.]рф.

On such sites, potential victims are prompted to download the now-familiar RustDesk application. On some sites, to make the downloaded applications more convincing, the names and icons are replaced with those of a particular bank. A section with testimonials from “satisfied users” also delivers an additional reassuring psychological effect.

Dr.Web antivirus detects the RustDesk application as Tool.RustDesk.1.origin and its modifications as Android.FakeApp.1426. For additional security, the URL filter component of Dr.Web antivirus blocks access to malicious websites, preventing users from falling prey to scams.

Doctor Web would like to remind you:

• Be cautious about accepting calls from banks and other organizations.
• Never install programs on your devices at someone else's request.
• Do not share codes from SMS or push notifications with anyone.
• Do not talk to “bank representatives”. If they tell you unauthorized charges were made to your account, hang up. If you want to make sure that everything is okay, call the bank yourself using the number on your card.

Read more about Tool.RustDesk.1.origin

Read more about Android.FakeApp.1426

Indicators of compromise:

• помощникбанков[.]рф
• поддержкабанка[.]рф
• поддержка-банка[.]рф
• цбподдержка[.]рф
• поддержкацб[.]рф
• 24поддержка[.]рф

• sha1:2fcee98226ef238e5daa589fb338f387121880c6
• sha1:f28cb04a56d645067815d91d079b060089dbe9fe
• sha1:9a96782621c9f98e3b496a9592ad397ec9ffb162
• sha1:535ecea51c63d3184981db61b3c0f472cda10092
• sha1:ee406a21dcb4fe02feb514b9c17175ee95625213