MalwareBytes reports a recent malvertising campaign distributing the loader PikaBot via abusing the popular remote desktop software AnyDesk. The fraudsters employed a sophisticated evasion technique:
Google security checks were bypassed by leveraging a third-party marketing platform to redirect victims to the attacker-controlled domain (anadesky[.]ovmv[.]net).
Once landed on the malicious website, JavaScript runs to validate the environment where the victim is operating. If no virtual environment is found, the infection chain continues by enabling the user to click on a "download" button.
The aforementioned button downloads the malicious MSI from Dropbox, where the malicious payload is hosted.
According to a separate MalwareBytes report, the same redirection mechanism has been noticed in a separate campaign exploiting Zoom and Slack search advertisements. This campaign - potentially attributable to the same actor based on these observations - leverages various URLs with domain names onlink[.]me, youstorys[.]com, windows-rars[.]shop, scheta[.]site, and hyros[.]com. The Zoom campaign aimed to deliver an information stealer which appears to target primarily cryptowallets or serve as initial access broker.