Zoom video call software continues to be a staple in work environments. Despite a slow, post-lockdown easing back to the "old normal," many businesses still have remote workers, or people working in different geographies. It's no surprise then to see criminals continuing to abuse Zoom's popularity, in the hope of netting interested parties and, potentially, luring current users into downloading and installing malware.
This particular campaign, initially discovered by an Internet researcher going by the handle @idclickthat, gets unsuspecting users to download an information-stealer—spyware, if you prefer—from fake sites hosting malformed Zoom installers (malware bundled with a legitimate Zoom installer) onto their work systems.
Malware @Zoom downloads 🤖— idclickthat (@idclickthat) September 12, 2022
PDRhttps://t.co/7NJ4fEJ9Su@ULTRAFRAUD @malwrhunterteam @JAMESWT_MHT @illegalFawn @nullcookies @AlvieriD @BumbledBubble @ActorExpose pic.twitter.com/JYq2UJEMQ7
Further analysis from researchers at Cyble reveals this spyware is known as the Vidar Stealer, which it did a deep-dive on last year. Vidar steals user credentials, banking information, saved passwords, IP addresses, and other sensitive information. Findings reveal six fake Zoom download sites, but they are no longer accessible. According to idClickThat, the only difference between the home page of the fake Zoom download sites and the real one is the addition of a "download" button in the main image.
It isn't clear how users encountered these fake download sites, but those that did downloaded a file called
Zoom.exe. Once executed, it dropped two payloads: The legitimate software installer and malware named
Decoder.exe, which then dropped Vidar malware. This spyware was then injected into
MSBuild.exe, a platform used to build applications.
Once injected, Vidar extracted a command-and-control IP addresses from two profiles created on Telegram and
ieji.de, an anonymous social platform based on an instance of Mastodon. These URLs, per Cyble researchers, house DLL files and configuration data the spyware needs to function.
Note that information stealers like Vidar can harvest credentials that put your business network at risk. Threat actors can sell this access to the highest bidders, who can use it to break into your company network, steal information and plant ransomware.
So, before downloading files that claim to be legitimate, it pays to do a quick online search for the software's official website. Of course it also pays to have good security software that blocks malware, so that accidents can be stopped before they turn into a problem for your computer and your employer's network.