If you are looking to download Zoom video conferencing platform (Opens in a new tab), make sure to double check the internet address you are downloading from as there are many fake websites that spread types of viruses and malware.
Cyble researchers investigated reports of a widespread campaign targeting potential Zoom users and discovered six fake installation sites hosting various info stealers and other malware variants.
One of the information stealers discovered was Vidar Stealer, capable of stealing banking information, stored passwords, browsing history, IP addresses, cryptocurrency wallet details, and in some cases, MFA information as well.
various campaigns
“Based on our recent observations, actively run various campaigns to spread information about the thieves,” the researchers said (opens in a new tab). “Stealer Logs can provide access to compromised endpoints, which are sold on cybercrime marketplaces. We have seen multiple breaches where the theft logs provided the necessary initial access to the victim's network."
The six discovered sites are on zoom-downloadhost; zoom-downloadspace, zoom-downloadzoom funhost, zoomustech and zoomuswebsite and, according to The Register, are still operational.
Visitors would be redirected to a GitHub URL that shows which apps they can download. If the victim chooses the malicious one, they receive two binaries in the temporary folder: ZOOMIN-1.EXE and Decoder.exe. The malware also injects itself into MSBuild.exe and extracts the IP addresses hosting the DLLs as well as configuration data, it was said.
“We found that this malware had overlapping tactics, techniques, and procedures (TTP) with Vidar Stealer,” the researchers wrote, adding that, like Vidar Stealer, “this malware payload hides the C&C IP address in the Telegram description. The rest of the infection techniques appear to be similar."
The best way to avoid this malware is to check where your Zoom programs are coming from.
Via: The Registry (Opens in a new tab)