When Cyble Research and Intelligence Labs (CRIL) was carrying out routine threat hunting exercises, it came across a tweet that mentioned numerous fake Zoom sites being created, which caught the attention of the researchers. 

There is a lot of similarity in the user interfaces of these sites. The purpose of these sites is to infect people with malware disguised as Zoom’s legitimate application, using this site as a vehicle for spreading malware.

After conducting further investigation, the cybersecurity analysts found that Vidar Stealer was being spread on these sites. Vidar is a malicious program that steals information from its victims including the following data:-

  • Banking Information
  • Saved Passwords
  • IP Addresses
  • Browser history
  • Login credentials
  • Crypto-wallets

The Arkei stealer is connected to this stealer, which means that both are related. 

EHA

Fake Zoom sites

There are a number of fake Zoom sites currently being used by the threat actors, including the following:-

  • zoom-download[.]host
  • zoom-download[.]space
  • zoom-download[.]fun
  • zoomus[.]host
  • zoomus[.]tech
  • zoomus[.]website

A malicious application is downloaded from the backend of the fake sites by navigating to this GitHub URL:-

  • https[:]//github[.]com/sgrfbnfhgrhthr/csdvmghfmgfd/raw/main/Zoom.zip

In the temporary folder of the target machine, the malicious application drops two binaries that are:-

  • ZOOMIN~1.EXE
  • Decoder.exe

Infection Chain

A malicious .NET binary named Decoder.exe is injected into MSBuild.exe and executes the hackers’ code in order to steal information from the machine. 

MSBuild (Microsoft Build Engine) is a platform that is used to create applications that are built using the .NET Framework. While the ZOOMIN~1.EXE file is a clean file and it executes the genuine Zoom installer only.

Injection of the malware into MSBuild.exe allows it to retrieve the IP addresses associated with the DLLs and configuration information that are hosted there.

Thereafter, the malware receives the configuration data from the command and control servers, as well as DLLs. In order to remove itself from the victim’s device, the malware uses the following command line arguments after successfully executing the following commands:-

  • C:\Windows\System32\cmd.exe” /c taskkill /im MSBuild.exe /f & timeout /t 6 & del /f /q
  • “C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe” & del C:\PrograData\*.dll & exit

Recommendations

Here below we have mentioned all the recommendations provided by the security experts:-

  • The use of warez/torrent websites should be avoided if you want to avoid downloading pirated software.
  • Ensure that your password is strong. 
  • Whenever possible, ensure that multi-factor authentication is implemented.   
  • Ensure that your mobile phone, computer, and other devices connected to the internet are configured to update automatically.  
  • It is important to use a reputable anti-virus program on all the devices you connect to the internet.
  • It is advisable not to open untrusted links or email attachments without first verifying that the links and attachments are authentic.
  • You should educate employees regarding the safe handling of information such as phishing emails and untrusted URLs.
  • In order to prevent malware from spreading, block URLs that could be used to do so.
  • In order to prevent data exfiltration by malware, the beacon should be monitored at the network level.

Download Free SWG – Secure Web Filtering – E-book

BALAJI is a Former Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.