These fake Zoom websites want to trick you into downloading malware

by DTM | Posted on

If you’re looking to download the video conferencing platform Zoom, make sure you double-check the internet address you’re downloading from, because there are plenty of fake websites out there spreading all kinds of nasty viruses and malware.

Researchers from Cyble have been investigating reports of a widespread campaign targeting potential Zoom users, and have so uncovered six fake install sites that host various infostealers and other malware variants. 

One of the infostealers uncovered was Vidar Stealer, capable of stealing banking information, stored passwords, browser history, IP addresses, details about cryptocurrency wallets and, in some cases, MFA information, as well.

Multiple campaigns

“Based on our recent observations, [criminals] actively run multiple campaigns to spread information stealers,” the researchers said. “Stealer Logs can provide access to compromised endpoints, which are sold on cybercrime marketplaces. We have seen multiple breaches where stealer logs have provided the necessary initial access to the victim’s network.”

The six sites uncovered are zoom-download[.]host; zoom-download[.]space, zoom-download[.]fun, zoomus[.]host, zoomus[.]tech, and zoomus[.]website and, according to The Register, are still operational.

Read more

> Your Microsoft Teams or Zoom calls could be getting hacked in a really bizarre way

> Zoom is adding its own tiny metaverse for private meetings

> Check out the best antivirus software around

The visitors would be redirected to a GitHub URL that shows which applications they can download. If the victim chooses the malicious one, they receive two binaries in the temp folder: ZOOMIN-1.EXE and Decoder.exe. The malware also injects itself into MSBuild.exe and pulls IP addresses hosting the DLLs, as well as configuration data, it was said. 

“We found that this malware had overlapping Tactics, Techniques, and Procedures (TTPs) with Vidar Stealer,” the researchers wrote, adding that, like Vidar Stealer, “this malware payload hides the C&C IP address in the Telegram description. The rest of the infection techniques appear to be similar.”

The best way to avoid this malware is to double-check where you’re getting your Zoom programs from.

Via: The Register