If you’re looking to download the video conferencing (opens in new tab) platform Zoom, make sure you double-check the internet address you’re downloading from, because there are plenty of fake websites out there spreading all kinds of nasty viruses and malware.
Researchers from Cyble have been investigating reports of a widespread campaign targeting potential Zoom users, and have so uncovered six fake install sites that host various infostealers and other malware variants.
One of the infostealers uncovered was Vidar Stealer, capable of stealing banking information, stored passwords, browser history, IP addresses, details about cryptocurrency wallets and, in some cases, MFA information, as well.
“Based on our recent observations, [criminals] actively run multiple campaigns to spread information stealers,” the researchers said (opens in new tab). “Stealer Logs can provide access to compromised endpoints, which are sold on cybercrime marketplaces. We have seen multiple breaches where stealer logs have provided the necessary initial access to the victim’s network.”
The six sites uncovered are zoom-download[.]host; zoom-download[.]space, zoom-download[.]fun, zoomus[.]host, zoomus[.]tech, and zoomus[.]website and, according to The Register, are still operational.
The visitors would be redirected to a GitHub URL that shows which applications they can download. If the victim chooses the malicious one, they receive two binaries in the temp folder: ZOOMIN-1.EXE and Decoder.exe. The malware also injects itself into MSBuild.exe and pulls IP addresses hosting the DLLs, as well as configuration data, it was said.
“We found that this malware had overlapping Tactics, Techniques, and Procedures (TTPs) with Vidar Stealer,” the researchers wrote, adding that, like Vidar Stealer, “this malware payload hides the C&C IP address in the Telegram description. The rest of the infection techniques appear to be similar.”
The best way to avoid this malware is to double-check where you’re getting your Zoom programs from.
Via: The Register (opens in new tab)