These fake Zoom websites want to trick you into downloading malware

nzejwxxVZvaJ8buBy8F5BM 1200 80

If you want to download the video conference (opens in new tab) platform Zoom, check the internet address you are downloading from as there are plenty of fake websites that spread all kinds of nasty viruses and malware.

Cyble researchers examined reports of a widespread campaign targeting potential Zoom users and discovered six fake installer sites hosting various infostealers and other malware variants.

One of the infostealers discovered was Vidar Stealer, which was able to steal banking details, saved passwords, browser history, IP addresses, cryptocurrency wallet details and, in some cases, MFA information as well.

Multiple campaigns

“Based on our recent observations, [criminals] Actively run multiple campaigns to spread information theft,” the researchers said (opens in new tab). “Staler logs can provide access to compromised endpoints, which are sold on cybercrime marketplaces. We have seen multiple breaches where stealer logs have provided the necessary initial access to the victim’s network.”

The six sites discovered are zoom download[.]host; zoom download[.]space, zoom download[.]nice, zoomus[.]host, zoomus[.]tech and zoomus[.]website and are still operational, according to The Register.

The visitors would be redirected to a GitHub URL showing which applications they can download. If the victim chooses the malicious one, they will receive two binaries in the temporary folder: ZOOMIN-1.EXE and Decoder.exe. The malware also injects itself into MSBuild.exe and retrieves IP addresses that host the DLLs, as well as configuration information, it was said.

“We found that this malware overlaps Tactics, Techniques and Procedures (TTPs) with Vidar Stealer,” the researchers wrote, adding that, like Vidar Stealer, “this malware payload hides the C&C IP address in the Telegram description. The rest of the infection techniques are similar.”

The best way to avoid this malware is to check where you get your Zoom programs from.

Via: The Register (opens in new tab)

Leave a Reply

Your email address will not be published.