These fake Zoom websites want to trick you into downloading malware

Audio participant loading…

If you happen to’re trying to obtain the video conferencing (opens in new tab) platform Zoom, be sure to double-check the web deal with you’re downloading from, as a result of there are many faux web sites on the market spreading all types of nasty viruses and malware.

Researchers from Cyble have been investigating reviews of a widespread marketing campaign concentrating on potential Zoom customers, and have so uncovered six faux set up websites that host numerous infostealers and different malware variants. 

One of many infostealers uncovered was Vidar Stealer, able to stealing banking info, saved passwords, browser historical past, IP addresses, particulars about cryptocurrency wallets and, in some circumstances, MFA info, as effectively.

A number of campaigns

“Based mostly on our latest observations, [criminals] actively run a number of campaigns to unfold info stealers,” the researchers said (opens in new tab). “Stealer Logs can present entry to compromised endpoints, that are offered on cybercrime marketplaces. We now have seen a number of breaches the place stealer logs have supplied the required preliminary entry to the sufferer’s community.”

The six websites uncovered are zoom-download[.]host; zoom-download[.]house, zoom-download[.]enjoyable, zoomus[.]host, zoomus[.]tech, and zoomus[.]web site and, in accordance with The Register, are nonetheless operational.

The guests can be redirected to a GitHub URL that exhibits which purposes they’ll obtain. If the sufferer chooses the malicious one, they obtain two binaries within the temp folder: ZOOMIN-1.EXE and Decoder.exe. The malware additionally injects itself into MSBuild.exe and pulls IP addresses internet hosting the DLLs, in addition to configuration information, it was stated. 

“We discovered that this malware had overlapping Techniques, Strategies, and Procedures (TTPs) with Vidar Stealer,” the researchers wrote, including that, like Vidar Stealer, “this malware payload hides the C&C IP deal with within the Telegram description. The remainder of the an infection strategies seem like related.”

The easiest way to keep away from this malware is to double-check the place you’re getting your Zoom packages from.

Through: The Register (opens in new tab)


Leave a Reply

Your email address will not be published.