If you want to download video conferencing (opens in a new tab) Zoom platform, make sure you double check the internet address you are downloading from because there are many fake websites that distribute all kinds of nasty viruses and malware.
Researchers at Cyble investigated reports of the campaign’s extensive targeting potential scaling users, and thus discovered six fake installation sites hosting various information theft and other malware options.
One of the information stealers exposed was Vidar Stealer, capable of stealing bank information stored on passwordsbrowser history, IP addresses, cryptocurrency wallet details and, in some cases, MFA information as well.
“Based on our latest observations, [criminals] is actively conducting several campaigns for the distribution of information thieves,” the researchers note said (opens in a new tab). “Theft logs can provide access to compromised endpoints that are sold on cybercrime marketplaces. We’ve seen several breaches where stolen logs provided the necessary initial access to the victim’s network.”
Six open sites can be loaded at scale[.]owner; zoom download[.]space zoom-load[.]have fun, zoomus[.]host, zoomus[.]technology and zoomus[.]site and, according to Registerstill working.
Visitors will be redirected to a GitHub URL that shows which apps they can download. When the victim selects the malware, they get two binaries in the temp folder: ZOOMIN-1.EXE and Decoder.exe. The malware also injects itself into MSBuild.exe and extracts the IP addresses where the DLLs are located as well as configuration data.
“We found that this malware has overlapping tactics, methods and procedures (TTP) with Vidar Stealer,” the researchers wrote, adding that, like Vidar Stealer, “this malware hides the C&C IP address in the Telegram description. methods of infection appear to be similar.”
The best way to avoid this malware is to double check where you are getting your Zoom apps from.
Via: Register (opens in a new tab)