Threat Research

Cyble – New Malware Campaign Targets Zoom Users

Securonix

Cyble researchers uncovered a campaign that uses fake Zoom sites to spread Vidar Stealer to Zoom users. The malware drops binaries, injects into MSBuild, and communicates with C2 infrastructure via GitHub-hosted payloads and hardcoded addresses. #VidarStealer #FakeZoomSites

Keypoints

  • The attack campaign centers on fake Zoom sites designed with a consistent UI to deliver malware disguised as the legitimate Zoom app.
  • Redirects lead to a GitHub URL that hosts Zoom.zip, which contains the malicious payload.
  • On execution, two binaries are dropped in the temp folder: ZOOMIN~1.EXE (launches Zoom) and Decoder.exe (a .NET binary that injects into MSBuild).
  • Decoder.exe injects the stealer code into MSBuild.exe, enabling the Vidar Stealer to run within a legitimate process.
  • Vidar Stealer exfiltrates credentials and sensitive data (banking info, saved passwords, browser history, login credentials, crypto-wallets) and uses hardcoded data and C2 servers for operation.
  • Threat actors hide C2 IPs by placing them in Telegram profiles/descriptions and hardcode configuration fetch from C2 servers, with network activity shown in figures.

MITRE Techniques

  • [T1566] Phishing – The fake Zoom sites are created to spread malware disguised as the legitimate Zoom application. Quote: “the creation of multiple fake Zoom sites… spreading malware disguised as the legitimate Zoom application.”
  • [T1204] User Execution – The campaign involves executing the downloaded payload which then drops binaries. Quote: “Upon execution, the malicious application drops two binaries in the temporary folder.”
  • [T1555] Credentials from Password Stores – Vidar steals banking information, saved passwords, and login credentials. Quote: “Vidar is an Information Stealing malware that steals the victim’s banking information, saved passwords, IP addresses, browser history, login credentials, and crypto-wallets.”
  • [T1539] Steal Web Session Cookie – Vidar’s credential theft capabilities include browser data and credentials. Quote: “steals the victim’s banking information, saved passwords, IP addresses, browser history, login credentials, and crypto-wallets.”
  • [T1095] Non-Application Layer Protocol – The malware exchanges data with C2 servers for configuration and DLLs. Quote: “The malware receives the configuration data and DLLs from the C&C servers at this stage.”
  • [T1041] Exfiltration Over C&C Channel – The campaign uses C2 channels to transfer configuration data and maintain control. Quote: “The figure below displays the network activity with the C&C server.”

Indicators of Compromise

  • [IOC Type] URL/Domain – Zoom site domains used by attackers: zoom-download.host, zoom-download.space, zoom-download.fun, zoomus.host, zoomus.tech, zoomus.website
  • [IOC Type] URL – Zoom.zip download source: https://github.com/sgrfbnfhgrhthr/csdvmghfmgfd/raw/main/Zoom.zip
  • [IOC Type] Hash – Malicious Zoom Application: 19aff3d6ed110a9037aff507cac4077f, caa99a9682d20e657b58d9d508f6d4921d6b606b, f2efaa8e2d001d9c7872ab0a374480bec010aeaa9dbdb932cc058530ad125217
  • [IOC Type] Hash – Loader File: 19AFF3D6ED110A9037AFF507CAC4077F, a8917dc3caf3485108485bf12c79de8f792e415e, 32fa5edf4da5eff4ca9313f3466df85da73a6e2498b2c88ad1e3403b3979e6f4
  • [IOC Type] IP – C&C IP: 79.124.78.206
  • [IOC Type] IP – C&C IP: 116.202.179.139
  • [IOC Type] IP – Malicious IP: 193.106.191.223
  • [IOC Type] URL – Telegram profile references used to hide C2 IPs: https://t.me/karacakahve, https://ieji.de/@tiagoa96

Read more: https://blog.cyble.com/2022/09/19/new-malware-campaign-targets-zoom-users/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint