Hackers use Zoom & Google Meet Lures to Attack Android & Windows users

A threat actor has been identified as creating fraudulent Skype, Google Meet, and Zoom websites to distribute malware, explicitly targeting Android and Windows users.

This article delves into the details of this malicious campaign and explains how users can identify and protect themselves from these threats.

Attack Sequence:

A threat actor distributes various malware families through fake Skype, Zoom, and Google Meet websites.

Remote Access Trojans (RATs) such as SpyNote RAT for Android, NjRAT and, DCRat for Windows are being distributed.

Document
Integrate ANY.RUN in your company for Effective Malware Analysis

Are you from SOC and DFIR teams? – Join With 400,000 independent Researchers

Malware analysis can be fast and simple. Just let us show you the way to:

  • Interact with malware safely
  • Set up virtual machine in Linux and all Windows OS versions
  • Work in a team
  • Get detailed reports with maximum data
  • If you want to test all these features now with completely free access to the sandbox: ..

The attacker utilized shared web hosting with all fake sites hosted on a single IP address in Russia.

Malicious URLs closely resemble legitimate websites, making it challenging for users to differentiate.

Attack chain and execution flow for Android and Windows campaigns (source: Zscaler)

The attacker’s modus operandi involves luring users to click on fake sites where clicking on the Android button initiates the download of a malicious APK file, while clicking on the Windows button triggers the download of a BAT file, leading to a RAT payload download.

Rest assured that Zscaler’s ThreatLabz team diligently monitors and shares expert insights on all potential threats to keep you and the wider community safe.

Skype:

The first fake site discovered was join-skype[.]info, designed to deceive users into downloading a fake Skype application.

The Windows button is directed to Skype8.exe and the Google Play button is pointed at Skype.apk.

The fraudulent Skype website, with a fake domain meant to resemble the legitimate Skype domain. (Source urlscan.io.)

Google Meet:

Another fake site, online-cloudmeeting[.]pro, mimicking Google Meet, was identified. The site provided links to download fake Skype applications for Android and Windows.

The Windows link led to a BAT file downloading DCRat, while the Android link led to a SpyNote RAT APK file.

The fake Google Meet page, showing the fraudulent domain in the address bar for a fake Google Meet Windows application links to a malicious BAT file that downloads and executes malware. (Source: Zscaler)

Zoom:

Later, a fake Zoom site, us06webzoomus[.]pro, emerged with links to download SpyNote RAT for Android and DCRat for Windows.

The site closely resembled a legitimate Zoom meeting ID.

The fake Zoom page shows a domain similar to the real Zoom domain in the address bar and a link to the malicious APK file that contains SpyNote RAT when the Google Play button is clicked. (Source: Zscaler

Open Directories:

The fake Google Meet and Zoom sites also contained additional malicious files like driver.exe and meet.exe (NjRAT), indicating potential future campaigns utilizing these files.

Example of additional malicious files hosted on the websites hosting fake online meeting applications. (Source: Zscaler)

Businesses are at risk of impersonation attacks through online meeting applications, leading to the distribution of RATs that can compromise sensitive data.

Vigilance, robust security measures, regular updates, and patches are crucial in safeguarding against evolving cyber threats. Proactive measures are essential as cyber threats evolve.

Zscaler’s ThreatLabz team remains dedicated to monitoring these threats and sharing insights with the community.

You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are incredibly harmful, can wreak havoc, and damage your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Indonesia Government Data Breach – Hackers Leaked 82 GB of Sensitive Data Online

Hackers have reportedly infiltrated and extracted a vast 82 GB of sensitive data from the Indonesian…

7 hours ago

IBM AIX TCP/IP Vulnerability Lets Attackers Exploit to Launch Denial of Service Attack

IBM has issued a security bulletin warning of two vulnerabilities in its AIX operating system…

8 hours ago

Apache Auth-Bypass Vulnerability Lets Attackers Gain Control Over HugeGraph-Server

The Apache Software Foundation has issued a security alert regarding a critical vulnerability in Apache…

8 hours ago

USA Launched Cyber Attack on Chinese Technology Firms

The Chinese National Internet Emergency Center (CNIE) has revealed two significant cases of cyber espionage…

9 hours ago

Node.js systeminformation Package Vulnerability Exposes Millions of Systems to RCE Attacks

A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing millions…

2 days ago

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer through…

3 days ago