Friday, May 24, 2024

Hackers use Zoom & Google Meet Lures to Attack Android & Windows users

A threat actor has been identified as creating fraudulent Skype, Google Meet, and Zoom websites to distribute malware, explicitly targeting Android and Windows users.

This article delves into the details of this malicious campaign and explains how users can identify and protect themselves from these threats.

Attack Sequence:

A threat actor distributes various malware families through fake Skype, Zoom, and Google Meet websites.

Remote Access Trojans (RATs) such as SpyNote RAT for Android, NjRAT and, DCRat for Windows are being distributed.

Document
Integrate ANY.RUN in your company for Effective Malware Analysis

Are you from SOC and DFIR teams? – Join With 400,000 independent Researchers

Malware analysis can be fast and simple. Just let us show you the way to:

  • Interact with malware safely
  • Set up virtual machine in Linux and all Windows OS versions
  • Work in a team
  • Get detailed reports with maximum data
  • If you want to test all these features now with completely free access to the sandbox: ..


The attacker utilized shared web hosting with all fake sites hosted on a single IP address in Russia.

Malicious URLs closely resemble legitimate websites, making it challenging for users to differentiate.

Attack chain and execution flow for Android and Windows campaigns (source: Zscaler)
Attack chain and execution flow for Android and Windows campaigns (source: Zscaler)

The attacker’s modus operandi involves luring users to click on fake sites where clicking on the Android button initiates the download of a malicious APK file, while clicking on the Windows button triggers the download of a BAT file, leading to a RAT payload download.

Rest assured that Zscaler’s ThreatLabz team diligently monitors and shares expert insights on all potential threats to keep you and the wider community safe.

Skype:

The first fake site discovered was join-skype[.]info, designed to deceive users into downloading a fake Skype application.

The Windows button is directed to Skype8.exe and the Google Play button is pointed at Skype.apk.

The fraudulent Skype website, with a fake domain meant to resemble the legitimate Skype domain. (Source urlscan.io.)
The fraudulent Skype website, with a fake domain meant to resemble the legitimate Skype domain. (Source urlscan.io.)

Google Meet:

Another fake site, online-cloudmeeting[.]pro, mimicking Google Meet, was identified. The site provided links to download fake Skype applications for Android and Windows.

The Windows link led to a BAT file downloading DCRat, while the Android link led to a SpyNote RAT APK file.

The fake Google Meet page, showing the fraudulent domain in the address bar for a fake Google Meet Windows application link to a malicious BAT file that downloads and executes malware. (source: Zscaler)
The fake Google Meet page, showing the fraudulent domain in the address bar for a fake Google Meet Windows application links to a malicious BAT file that downloads and executes malware. (Source: Zscaler)

Zoom:

Later, a fake Zoom site, us06webzoomus[.]pro, emerged with links to download SpyNote RAT for Android and DCRat for Windows.

The site closely resembled a legitimate Zoom meeting ID.

The fake Zoom page, showing a domain similar to the real Zoom domain in the address bar and a link to the malicious APK file that contains SpyNote RAT when the Google Play button is clicked. (source: Zscaler)
The fake Zoom page shows a domain similar to the real Zoom domain in the address bar and a link to the malicious APK file that contains SpyNote RAT when the Google Play button is clicked. (Source: Zscaler

Open Directories:

The fake Google Meet and Zoom sites also contained additional malicious files like driver.exe and meet.exe (NjRAT), indicating potential future campaigns utilizing these files.

Example of additional malicious files hosted on the websites hosting fake online meeting applications. (Source: Zscaler)

Businesses are at risk of impersonation attacks through online meeting applications, leading to the distribution of RATs that can compromise sensitive data.

Vigilance, robust security measures, regular updates, and patches are crucial in safeguarding against evolving cyber threats. Proactive measures are essential as cyber threats evolve.

Zscaler’s ThreatLabz team remains dedicated to monitoring these threats and sharing insights with the community.

You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are incredibly harmful, can wreak havoc, and damage your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter

Website

Latest articles

Hackers Weaponizing Microsoft Access Documents To Execute Malicious Program

In multiple aggressive phishing attempts, the financially motivated organization UAC-0006 heavily targeted Ukraine, utilizing...

Microsoft Warns Of Storm-0539’s Aggressive Gift Card Theft

Gift cards are attractive to hackers since they provide quick monetization for stolen data...

Kinsing Malware Attacking Apache Tomcat Server With Vulnerabilities

The scalability and flexibility of cloud platforms recently boosted the emerging trend of cryptomining...

NSA Releases Guidance On Zero Trust Maturity To Secure Application From Attackers

Zero Trust Maturity measures the extent to which an organization has adopted and implemented...

Chinese Hackers Stay Hidden On Military And Government Networks For Six Years

Hackers target military and government networks for varied reasons, primarily related to spying, which...

DNSBomb : A New DoS Attack That Exploits DNS Queries

A new practical and powerful Denial of service attack has been discovered that exploits...

Malicious PyPI & NPM Packages Attacking MacOS Users

Cybersecurity researchers have identified a series of malicious software packages targeting MacOS users.These...
Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles