Beware of Malware-Delivering Spoofing Websites for Google Meet, Skype, and Zoom
Since December 2023, threat actors have been using fictitious websites that promote well-known video conferencing apps like Zoom, Skype, and Google Meet to spread a range of malware that targets users of Windows and Android.
“The threat actor is distributing Remote Access Trojans (RATs) including SpyNote RAT for Android platforms, and NjRAT and DCRat for Windows systems,” researchers from Zscaler ThreatLabz said.
The fact that the fake websites are housed on domains that closely resemble authentic websites and are written in Russian suggests that the attackers are using typosquatting techniques to deceive potential victims into downloading the malware.
They also provide links to download the app for Windows, iOS, and Android. Clicking the Windows app button initiates the download of a batch script, while clicking the Android button downloads an APK file.
The remote access trojan is downloaded and executed via a PowerShell script that is run by the malicious batch script.
Since tapping the iOS app’s button directs users to Skype’s official Apple App Store listing, there is currently no proof that the threat actor is focusing on iOS users.
“A threat actor is using these lures to distribute RATs for Android and Windows, which can steal confidential information, log keystrokes, and steal files,” according to the investigators.
This development coincides with the discovery by the AhnLab Security Intelligence Center (ASEC) of a new virus known as WogRAT that targets both Linux and Windows. WogRAT abuses the free online notepad platform aNotepad, employing it as a covert vector to host and retrieve malicious code.
According to reports, it will begin operating at least in late 2022 and will primarily target Asian nations such as China, Hong Kong, Japan, and Singapore. Nevertheless, the manner in which the virus spreads in the wild is presently unknown.
“When WogRAT is run for the first time, it collects basic information of the infected system and sends them to the C&C server,” stated ASEC. “The malware then supports commands such as executing commands, sending results, downloading files, and uploading these files.”
Additionally, it aligns with massive phishing attempts that are being coordinated by TA4903, a financially motivated cybercriminal actor, with the aim of stealing corporate credentials and perhaps using them in conjunction with business email compromise (BEC) attacks. The enemy has been engaged in activity since at least 2019, and by mid-2023, their efforts will likely accelerate.
“TA4903 routinely conducts campaigns spoofing various U.S. government entities to steal corporate credentials,” Proofpoint said. “The actor also spoofs organizations in various sectors including construction, finance, healthcare, food and beverage, and others.”
Attack chains employ the EvilProxy adversary-in-the-middle (AiTM) phishing kit to get beyond two-factor authentication (2FA) security measures, as well as QR codes (also known as quishing) for credential phishing.
With the ultimate objective of taking over active email threads and committing invoice fraud, the threat actor has been seen looking for information pertaining to payments, invoices, and bank details after they have gained access to a target mailbox.
Phishing campaigns have also used as a distribution channel for other malware families, such as Remcos RAT (which uses steganographic decoys to deliver malware on vulnerable hosts) and DarkGate.