Keypoints
- Threat actor created fake Skype, Google Meet, and Zoom websites hosted on shared infrastructure to mimic legitimate meeting services.
- Android lure: clicking the Google Play/Android link downloads APKs (examples: meet.apk, Zoom02.apk) containing SpyNote RAT.
- Windows lure: clicking the Windows button downloads BAT files (example: updateZoom20243001bit.bat) that chain-download and execute RAT payloads (ZoomDirectUpdate.exe containing DCRat).
- Final Windows payloads were delivered as archives/executables (ZoomDirectUpdate.exe as a WinRAR archive, DCRat packed with Eziriz .NET Reactor; NjRAT found in driver.exe and meet.exe inside gry-ucdu-fhc.zip).
- Attackers used URL paths and subpaths that mimic real meeting invite formats (e.g., gry-ucdu-fhc and long Zoom-like subpaths) to increase credibility.
- Open directories on the fake sites hosted additional RAT binaries, indicating reuse across campaigns.
- Zscaler sandbox analysis detected behavior and assigned threat names (Win32.Backdoor.DCRat, Win32.Backdoor.NjRat) but the article did not enumerate specific MITRE technique IDs.
MITRE Techniques
- No MITRE ATT&CK technique IDs were explicitly listed in the article – The report notes: ‘The sandbox analysis allowed us to identify threat scores and pinpoint specific MITRE ATT&CK techniques that were triggered during the analysis process.’
Indicators of Compromise
- [Domains] fraudulent meeting domains – join-skype[.]info, online-cloudmeeting[.]pro, us06webzoomus[.]pro
- [URLs / Subpaths] meeting-like paths used to mimic invites – online-cloudmeeting[.]pro/gry-ucdu-fhc/, us06webzoomus[.]pro/l/62202342233720…/
- [Android files] APK filenames delivered via Android links – meet.apk, Zoom02.apk (contains SpyNote RAT)
- [Windows files / stagers] BAT and EXE filenames used as stagers/payloads – updateZoom20243001bit.bat, ZoomDirectUpdate.exe (WinRAR archive containing DCRat)
- [Open directory binaries] additional Windows RATs found in open directories – driver.exe, meet.exe inside gry-ucdu-fhc.zip (NjRAT)
Zscaler observed a consistent delivery chain across fake meeting sites: visitors clicking the Android/Google Play link received an APK (examples: meet.apk, Zoom02.apk) that installed SpyNote RAT on Android devices. For Windows, the sites served BAT files (example: updateZoom20243001bit.bat); when executed, these stagers downloaded an executable archive (example: ZoomDirectUpdate.exe) which unpacked and executed DCRat, with binaries sometimes packed using Eziriz .NET Reactor.
The fraudulent sites were hosted on shared infrastructure and used subpaths crafted to resemble legitimate invite codes (e.g., gry-ucdu-fhc and long Zoom-like path segments) to increase user trust. Open directory listings on the same hosts contained additional executables (driver.exe, meet.exe inside gry-ucdu-fhc.zip) identified as NjRAT, indicating multiple RAT families were staged from the same hosting locations and likely reused across campaigns.
Technical artifacts to hunt for include the listed domain names and subpaths, the specific file names (APK, BAT, EXE, ZIP), and archives with .NET packing signatures (Eziriz .NET Reactor). Detection and analysis benefit from sandboxing the BAT-to-EXE download chain, inspecting WinRAR archive contents for DCRat components, and monitoring for SpyNote APK indicators on mobile endpoints.