If you happen to’re seeking to obtain the video conferencing (opens in new tab) platform Zoom, ensure you double-check the web handle you’re downloading from, as a result of there are many pretend web sites on the market spreading every kind of nasty viruses and malware.
Researchers from Cyble have been investigating studies of a widespread marketing campaign focusing on potential Zoom customers, and have so uncovered six pretend set up websites that host numerous infostealers and different malware variants.
One of many infostealers uncovered was Vidar Stealer, able to stealing banking data, saved passwords, browser historical past, IP addresses, particulars about cryptocurrency wallets and, in some instances, MFA data, as properly.
A number of campaigns
“Based mostly on our latest observations, [criminals] actively run a number of campaigns to unfold data stealers,” the researchers said (opens in new tab). “Stealer Logs can present entry to compromised endpoints, that are offered on cybercrime marketplaces. We now have seen a number of breaches the place stealer logs have offered the mandatory preliminary entry to the sufferer’s community.”
The six websites uncovered are zoom-download[.]host; zoom-download[.]area, zoom-download[.]enjoyable, zoomus[.]host, zoomus[.]tech, and zoomus[.]web site and, based on The Register, are nonetheless operational.
The guests could be redirected to a GitHub URL that exhibits which functions they’ll obtain. If the sufferer chooses the malicious one, they obtain two binaries within the temp folder: ZOOMIN-1.EXE and Decoder.exe. The malware additionally injects itself into MSBuild.exe and pulls IP addresses internet hosting the DLLs, in addition to configuration knowledge, it was stated.
“We discovered that this malware had overlapping Ways, Strategies, and Procedures (TTPs) with Vidar Stealer,” the researchers wrote, including that, like Vidar Stealer, “this malware payload hides the C&C IP handle within the Telegram description. The remainder of the an infection strategies look like related.”
One of the best ways to keep away from this malware is to double-check the place you’re getting your Zoom applications from.
By way of: The Register (opens in new tab)