Zoom Users Are Targeted By New Malware Campaign

During a routine security threat-spotting exercise, Terraeagle discovered that a researcher had tweeted about the creation of several Zoom impostor websites. These sites have the same user interface and were created with the explicit purpose of spreading malware disguised as a legitimate version of the Zoom program.

During further exploration, we found that these websites were spreading Vidar Stealer. Vidar is an Information Stealing malware that steals the victim’s banking information, saved passwords, IP addresses, browser history, login credentials, and crypto wallets. This stealer has links to the Arkei stealer. The image below depicts the Fake Zoom Site.

Analysis

The fake Zoom sites which are currently in use include:

• zoom-download[.]host
• zoom-download[.]space
• zoom-download[.]fun
• zoomus[.]host
• zoomus[.]tech
• zoomus[.]website

Upon execution, the malicious application drops two binaries in the temporary folder :

1. ZOOMIN~1.EXE
2. Decoder.exe

Decoder.exe is a malicious .NET binary that injects the malicious stealer code into MSBuild.exe. Microsoft Build Engine (MSBuild) is a platform used to build applications and ZOOMIN~1.EXE is a clean file that launches the legitimate Zoom installer.

The image below shows the Process Tree of the malicious application.

After being injected into MSBuild.exe, the malware extracts the IP addresses that host the DLLs and configuration data. The malware uses the below-mentioned URLs to extract the IP addresses if anyone of them is online.

1. https[:]//t[.]me/karacakahve
2. https[:]//ieji[.]de/@tiagoa96

The image below shows the malware’s network activity.

Threat Actors have used this technique to hide Command and Control (C&C) IP addresses. The image below shows the IP present on the profile description of Telegram user “@karacakahve” and user ID “@tiagoa96” on ieji.de.

The malware receives the configuration data and DLLs from the C&C servers at this stage. The image below displays the network activity with the C&C server.

We found that this malware had overlapping Tactics, Techniques, and Procedures (TTPs) with Vidar Stealer. In comparison with our previous analysis of Vidar Stealer, this malware Payload hides the C&C IP address in the Telegram description. The rest of the infection techniques appear to be similar.

The image below shows the Hardcoded stealer strings.

Upon successful execution, the malware uses the following commands to uninstall itself from the victim’s device.

“C:\Windows\System32\cmd.exe” /c taskkill /im MSBuild.exe /f & timeout /t 6 & del /f /q

“C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe” & del C:\PrograData\*.dll & exit

Conclusion

Based on our recent observations, Threat Actors actively run multiple campaigns to spread information stealers. Stealer Logs can provide access to compromised endpoints, which are sold on cybercrime marketplaces. We have seen multiple breaches where stealer logs have provided the necessary initial access to the victim’s network. This campaign appears to target Zoom users. We suggest identifying the legitimacy of the source before downloading any executables.

Our Recommendations?

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the suggestions given below: ?

• Avoid downloading pirated software from warez/torrent websites. The “Hack Tool” present on sites such as YouTube, torrent sites, etc., contains such malware.?
• Use strong passwords and enforce multi-factor authentication wherever possible.?
• Turn on the automatic software update feature on your computer, mobile, and other connected devices.?
• Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.
• Get help from Terraeagle to solve all your cybersecurity-related issues.
• Refrain from opening untrusted links and email attachments without first verifying their authenticity.?
• Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.?
• Block URLs that could be used to spread the malware, e.g., Torrent/Warez.?
• Monitor the beacon on the network level to block data exfiltration by malware or TAs.