A recent cybersecurity threat has emerged as a threat actor is creating fake Skype, Google Meet, and Zoom meetings to spread commodity malware that can steal sensitive data from both Android and Windows users. This campaign, which began in December, has been deemed a significant risk for corporate users, according to researchers from Zcaler’s ThreatLabz.
The attackers are utilizing shared Web hosting to host fake online meeting sites on a single IP address, using URLs that closely mimic the actual websites of the services being impersonated. For example, the Skype campaign used “join-skype[.]info,” while Google Meet users were directed to join meetings via “online-cloudmeeting[.]pro.” The Zoom campaign used “us06webzoomus[.]pro.”
The threat actors are employing this tactic to distribute widely available malware payloads that target cross-platform users. Android users are at risk of the SpyNote RAT, while Windows users face threats such as NjRAT and DCRat, as per the researchers.
The researchers, Himanshu Sharma, Arkaprva Tripathi, and Meghraj Nandanwar, highlighted the risks of these lures in distributing RATs that can steal confidential information, log keystrokes, and pilfer files. The campaign to lure users with Skype and Google Meet began in December, with the attacker moving on to impersonating Zoom in January.
Each campaign utilizes unique attack vectors with specific lures. In the Skype campaign, Windows users are led to a malicious executable file named Skype8.exe, disguised as a legitimate Skype download. Meanwhile, Android users are directed to download Skype.apk, which ultimately delivers a malicious payload.
The fake Google Meet site provides links for downloading a fake Skype application for Android (which is actually the SpyNote RAT) and/or Windows (a BAT file that downloads the DCRat payload). On the other hand, the fake Zoom site attempts to fool users by presenting a link that closely resembles a legitimate Zoom meeting ID.
There are also similarities between the fake Google Meet and Zoom websites, as both contain an open directory with two additional Windows executable files – driver.exe and meet.exe – housing NjRAT. The researchers point out that the presence of these files suggests their potential use in future campaigns.
To protect against these evolving cyber threats, enterprises are advised to take precautionary measures against advanced malware threats. This includes ensuring regular updates and security patches to minimize potential entry points for attackers. The researchers also provided a list of specific MITRE ATT&CK techniques triggered during the sandbox analysis process as part of their research.
In conclusion, the emergence of fake online meeting sites as a vector for spreading malware underscores the importance of vigilance and proactive cybersecurity measures for both individual users and corporate entities. As threat actors continue to evolve their tactics, staying informed and implementing robust security practices is crucial to safeguarding sensitive data and preventing cyberattacks.