Fake sites trick Zoom users into downloading deadly code • The Register

Beware of the Zoom site you don’t recognize, as a criminal gang is creating multiple fake versions aimed at tricking users into downloading malware that can steal bank details, IP addresses, and other information.

Threat researchers from cyber security firm Cyble have found six fake Zoom sites offering applications that, if clicked, will download the Vidar Stealer malware, which also collects many other gadgets. The fake Zoom sites are part of a larger information theft effort, according to the Cyble Research and Intelligence Lab (CRIL).

“Based on our recent observations, [criminals] actively run multiple campaigns to spread information thieves, ”they wrote in a report this week.

“The thief logs can provide access to compromised endpoints, which are sold on the cybercrime markets. We have seen multiple breaches where the thief logs have provided the necessary initial access to the victim’s network.”

Companies like Zoom offer attackers a large group of users to prey on. The company’s user base has skyrocketed over the past three years due to the COVID-19 pandemic and that makes it a very attractive target.

In the second quarter, Zoom had 204,100 corporate customers, an 18% increase year-over-year. It also generated nearly $ 1.1 billion in revenue, an 8% increase over the same period last year.

Cyble researchers said they first heard about the fake Zoom sites earlier this month from a tweet they saw during a routine threat hunting exercise. They found six of these sites that are still operational: zoom download[.]guest; zoom download[.]space, zoom download[.]funny, zoom[.]guest, zoom[.]technology and zoomus[.]place.

These sites redirect users to a GitHub URL on the backend that shows the applications that can be downloaded. If a user downloads a malicious application, they drop two binaries – ZOOMIN-1.EXE and Decoder.exe – into the temporary folder.

The malware is injected into MSBuild.exe and then extracts the IP addresses hosting the DLLs and configuration data, enabling it to steal more information. It can also hide the IP address of its command and control (C&C) server.

“We found that this malware overlapped Tactics, Techniques, and Procedures (TTP) with Vidar Stealer,” the researchers wrote, adding that, like Vidar Stealer, “this malware payload hides the C&C IP address in the Telegram description. . The rest of the infection techniques appear to be similar. “

Cyble wrote an in-depth report on Vidar Stealer a year ago, stating that the malware has been around since 2018. The malware also has links to a similar threat, Arkei Stealer.

The security industry has outlined the steps that businesses and users can take to avoid such malware, including not downloading pirated software, using strong passwords and multi-factor authentication, ensuring automatic system updates, and training employees not to open unreliable connections.

Organizations should also monitor network beacons to detect and block data that is exfiltrated by malware or threat groups, he added. ®