Spoofed Zoom, Google & Skype Meetings Spread Corporate RATs

We Keep you Connected

Spoofed Zoom, Google & Skype Meetings Spread Corporate RATs

A Russian-language campaign aims to compromise corporate users on both Windows and Android devices by mimicking popular online collaboration applications.
March 6, 2024
A threat actor is creating fake Skype, Google Meet, and Zoom meetings, mimicking these popular collaboration applications to spread various commodity malware that can steal sensitive data from both Android and Windows users.
The campaign, which began in December, demonstrates an emerging cybersecurity threat for corporate users, researchers from Zcaler's ThreatLabz revealed in a blog post on March 6. The attackers are using shared Web hosting to host fake online meeting sites on a single IP address, leveraging various URLs that are convincingly similar enough to the actual websites of the services being impersonated. The Skype campaign, for instance, used "join-skype[.]info," while Google Meet users were enticed to join meetings via "online-cloudmeeting[.]pro." The Zoom campaign uses "us06webzoomus[.]pro."
The threat actors are using the gambit to deliver widely available payloads to attack cross-platform users, wielding the Android-focused SpyNote RAT, and the NjRAT and DCRat, which compromise Windows users, the researchers said.
"A threat actor is using these lures to distribute RATs for Android and Windows, which can steal confidential information, log keystrokes, and steal files," ThreatLabz researchers Himanshu Sharma, Arkaprva Tripathl, and Meghraj Nandanwar wrote in the post on the campaign.
The efforts to lure users with Skype and Google Meet began in December, and the attacker started impersonating Zoom in January.
Just as each campaign has its own lure, so each attack vector was unique in its execution, with some similarities between then. In the Skype campaign, the link leads Windows users to a file named Skype8.exe, a malicious executable disguised as a Skype download, while those clicking on the link via Google Play were pointed to the malicious file Skype.apk. Both files ultimately deliver a malicious payload.
The fake Google Meet site provides links to download a fake Skype application for Android (in actuality, the SpyNote RAT) and/or Windows (a BAT file that downloads the DCRat payload).
The fake Zoom site is a bit different in that it uses an extra trick to try to fool users, presenting a link with a subpath that closely resembles a meeting ID generated by the Zoom client.
There also is a similarity between the fake Google Meet and Zoom websites in that they both also contain an open directory with two additional Windows executable files — driver.exe and meet.exe — hiding NjRAT.
"The presence of these files suggests that the attacker may utilize them in other campaigns, given their distinct names," the researchers noted.
To protect themselves, it's important that enterprises take measures "to protect against advanced and evolving malware threats," according to ThreatLabz.
To that end, the researchers stressed the importance of regular updates and security patches to give attackers fewer entry points to compromise users. They also included in the post a list of specific MITRE ATT&CK techniques triggered during the sandbox analysis process conducted during the research.
Elizabeth Montalbano, Contributing Writer

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

You May Also Like
Assessing Your Critical Applications’ Cyber Defenses
Unleash the Power of Gen AI for Application Development, Securely
The Anatomy of a Ransomware Attack, Revealed
How To Optimize and Accelerate Cybersecurity Initiatives for Your Business
Building a Modern Endpoint Strategy for 2024 and Beyond
Cybersecurity’s Hottest New Technologies – Dark Reading March 21 Event
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Industrial Networks in the Age of Digitalization
Zero-Trust Adoption Driven by Data Protection
How Enterprises Assess Their Cyber-Risk
Increased Cooperation Between Access Brokers, Ransomware Operators Reviewed
SANS 2021 Cloud Security Survey
Gcore Radar
Demystifying Zero Trust in OT
Endpoint Best Practices to Block Ransomware
FortiSASE Customer Success Stories – The Benefits of Single Vendor SASE
The Forrester Wave: External Threat Intelligence Service Providers, Q3 2023
Cybersecurity’s Hottest New Technologies – Dark Reading March 21 Event
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Copyright © 2024 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.