A threat actor is creating a fake Skype, Google Meetand Zoom meetings, which mimic these popular collaboration applications to spread them in various ways commodity malware which can steal sensitive data from both Android and Windows users.
The campaign, which began in December, demonstrates a Emerging cybersecurity threat to business users, researchers at Zcaler’s ThreatLabz revealed in a blog post on March 6. The attackers are using shared web hosting to host fake online meeting sites on a single IP address, leveraging various URLs that are convincingly similar enough to the real websites of the imitated services. . The Skype campaign, for example, used “join-skype[.]info”, while Google Meet users were encouraged to join meetings via “online-cloudmeeting[.]professional.” The Zoom in the campaign uses “us06webzoomus[.]professional.”
Threat actors are exploiting the move to deliver widely available payloads to attack cross-platform users, brandishing Android-focused SpyNote RAT and the NjRAT AND DCRactthat compromise Windows users, researchers said.
“A threat actor is using these decoys to deploy RATs for Android and Windows, which can steal sensitive information, log keystrokes, and steal files,” ThreatLabz researchers Himanshu Sharma, Arkaprva Tripathl, and Meghraj Nandanwar wrote in the campaign post .
Efforts to lure users with Skype and Google Meet began in December, and the attacker began impersonating Zoom in January.
Spoofed meeting invitations offer one click to compromise
Just as each campaign has its own appeal, so each attack vector was unique in its execution, with some similarities between them. In the Skype campaign, the link takes Windows users to a file called Skype8.exe, a malicious executable file masquerading as a Skype download, while those who clicked the link via Google Play were directed to the malicious file Skype.apk. Both files ultimately deliver a malicious payload.
The fake Google Meet site provides links to download a fake Skype application for Android (in reality, SpyNote RAT) and/or Windows (a BAT file that downloads the DCRat payload).
The fake Zoom site is slightly different in that it uses an additional trick to try to trick users, presenting a link with a subpath that closely resembles a meeting ID generated by the Zoom client.
There is also a similarity between the fake Google Meet and Zoom in websites as both also contain an open directory with two additional Windows executable files – driver.exe and meet.exe – that hide NjRAT.
“The presence of these files suggests that the attacker may be using them in other campaigns, given their distinct names,” the researchers noted.
Protect business users from evolving cyber threats
To protect themselves, it is important that businesses take measures “to protect themselves from advanced infections and Evolving malware threats“, according to ThreatLabz.
To this end, researchers have highlighted the importance of regular updates and security patches to provide attackers with fewer entry points to compromise users. In the post they also included a list of specific MITER ATT&CK techniques activated during the sandbox analysis process conducted during the research.