Rising Threats: Phishing Campaigns Exploit Zoom and Google Meet to Deploy Surveillance Software
Recent reports have emerged detailing the alarming escalation of sophisticated phishing campaigns that exploit widely-used video conferencing tools, Zoom and Google Meet. Cybercriminals are employing these impersonations to covertly install Teramind onto Windows devices, raising significant security concerns for organizations and individuals alike.
While Teramind is a legitimate enterprise software used for endpoint monitoring, its capabilities are being illicitly exploited by threat actors aiming to conduct unauthorized surveillance without the victim’s knowledge. This situation poses severe implications for user privacy and data security.
The Phishing Attack Mechanics
The crux of the attack involves the use of deceitful landing pages that closely resemble the official websites of Zoom and Google Meet. A now-defunct campaign that mimicked Zoom made use of the domain uswebzoomus[.]com, while an ongoing variant targeting Google Meet operates under the domain googlemeetinterview[.]click.
Visitors to the active Google Meet site encounter a counterfeit Microsoft Store page, featuring a deceptive download button. When unwitting victims click this button, a malicious MSI installer is silently downloaded to their devices. The stealthy nature of this installer is particularly concerning; it not only activates Teramind but does so without raising any alarms.
Interestingly, the attackers utilize an unchanged Teramind binary, which incorporates a unique built-in .NET custom action referred to as ReadPropertiesFromMsiName. This technical method involves the embedding of a 40-character hexadecimal string in the installer’s filename, allowing it to extract the attacker’s specific instance ID. As a result, the same binary can be repurposed for multiple threat actor accounts with simple filename alterations, showcasing the sophisticated planning behind this malicious operation.
Installation and Stealth Mechanisms
Upon execution, the installer initiates a preliminary connectivity check named CheckHosts, connecting to a hardcoded Command and Control (C2) server, rt.teramind.co. If the machine is unable to reach this server, the installation process is immediately aborted. Conversely, if successful, the software installs itself in "Hidden Agent" mode, characterized by the setting TMSTEALTH = 1. This stealthy installation method conceals all taskbar icons and program entries, allowing the surveillance processes to run undetected.
Moreover, to avoid detection by network security systems, the MSI installer supports a built-in SOCKS5 proxy. This functionality may enable the attackers to obscure their C2 traffic, complicating detection attempts. To ensure persistence, the campaign installs two highly resilient services that restart automatically if terminated, making it increasingly difficult for victims to eradicate the threat.
Malicious Services Summary
The campaign deploys two significant services designed to maintain its presence within compromised systems:
-
Service Name: tsvchst
- Display Name: Service Host
- Executable: svc.exe -service
- Privilege Level: LocalSystem
- Service Name: pmon
- Display Name: Performance Monitor
- Executable: pmon.exe
- Privilege Level: LocalSystem
Recognizing Compromises
In the face of these ongoing attacks, organizations are urged to stay vigilant and monitor their networks for certain indicators of compromise (IOCs). Security teams should be on the lookout for specific hashes associated with the malicious MSI installer and the fake domains used in these phishing attacks. Executing a search for the GUID in the ProgramData directory, {4CEC2908-5CE4-48F0-A717-8FC833D8017A}, can also aid in recognizing intrusions.
Additional warning signs include unexpected instances of the tsvchst and pmon services running on non-corporate machines, as well as unanticipated loading of the tm_filter.sys and tmfsdrv2.sys kernel drivers. Preventative measures should include blocking MSI executions from user download directories and implementing browser policies that alert users to interactions with unrecognized domains.
Eradicating Unauthorized Software
To remove these invasive applications, security professionals need to execute specific command-line operations to uninstall the software, such as msiexec /x {4600BEDB-F484-411C-9861-1B4DD6070A23} /qb. Following this, it is crucial to manually delete the associated ProgramData directory and reboot the system to fully clear any malicious kernel drivers still in memory.
As digital landscapes evolve, so too do the strategies employed by cybercriminals. In this case, organizations must remain proactive in their cybersecurity efforts to mitigate risks posed by such intricately executed phishing campaigns.