Skip links

Fake sites fool Zoom users into downloading deadly code

Beware the Zoom site you don’t recognize, as a criminal gang is creating multiple fake versions aimed at luring users to download malware that can steal banking data, IP addresses, and other information.

Threat researchers at cybersecurity firm Cyble found six fake Zoom sites offering applications that, if clicked on, will download the Vidar Stealer malware, which also grabs lots of other goodies. The fake Zoom sites are part of a wider info-stealing effort, according to the Cyble Research and Intelligence Lab (CRIL).

“Based on our recent observations, [criminals] actively run multiple campaigns to spread information stealers,” they wrote in a report this week.

“Stealer Logs can provide access to compromised endpoints, which are sold on cybercrime marketplaces. We have seen multiple breaches where stealer logs have provided the necessary initial access to the victim’s network.”

Companies like Zoom give attackers a broad user group to prey on. The company’s user base has skyrocketed over the past three years due to the COVID-19 pandemic, and that makes it a very attractive target.

In the second quarter, Zoom reported 204,100 enterprise customers, an 18 percent year-over-year increase. It also generated revenue of almost $1.1 billion, an 8 percent jump over the same period last year.

The Cyble researchers said they first heard about the fake Zoom sites earlier this month from a tweet they saw during a routine threat hunting exercise. They found six such sites that are still in operation: zoom-download[.]host; zoom-download[.]space, zoom-download[.]fun, zoomus[.]host, zoomus[.]tech, and zoomus[.]website.

Those sites redirect users to a GitHub URL on the backend that shows applications that can be downloaded. If a user downloads a malicious application, it drops two binaries – ZOOMIN-1.EXE and Decoder.exe – into the temporary folder.

The malware is injected into MSBuild.exe and then extracts IP addresses that host the DLLs and configuration data, putting it into a position to steal more information. It also can hide the IP address of its command-and-control (C&C) server.

“We found that this malware had overlapping Tactics, Techniques, and Procedures (TTPs) with Vidar Stealer,” the researchers wrote, adding that, like Vidar Stealer, “this malware payload hides the C&C IP address in the Telegram description. The rest of the infection techniques appear to be similar.”

Cyble wrote a deep-dive report about Vidar Stealer a year ago, saying the malware has been around since 2018. The malware also has links to a similar threat, Arkei Stealer.

The security biz outlined steps enterprises and users can take to avoid such malware, including not downloading pirated software, using strong passwords and multi-factor authentication, ensuring automatic updates of systems, and training employees not to open untrusted links.

Organizations also should monitor network beacons to detect and block data being exfiltrated by malware or threat groups, it added. ®

Source