Rewterz Threat Alert – Spoofed Google Meet, Skype, Zoom Websites Being Leveraged by Threat Actors to Spread Malware – Active IOCs

Severity

High

Analysis Summary

Fake websites pretending to be popular video conferencing software platforms like Skype, Zoom, and Google Meet are being leveraged by threat actors to propagate several different malware that target both Windows and Android users since at least December 2023.

The threat actors are propagating remote access trojans (RATs) such as DCRAT and NjRAT for Windows and SpyNote RAT for Android devices via these spoofed websites. The fraudulent websites are in Russian and hosted on domains that very closely resemble their legitimate versions as the threat actors use typosquatting to trick the unsuspecting users into installing the malware.

Cybersecurity researchers observed that these websites also have the option to download the app for iOS, Windows, and Android platforms. When the button for Android download is clicked, it installs an APK file, while the Windows button downloads a batch script. The batch script executes a PowerShell script, which then downloads and executes the remote access trojan.

There is no evidence that the attackers are targeting iOS users since clicking the iOS download button redirects the user to the legitimate Apple App Store’s Skype listing. The RATs that are downloaded through these lures are capable of information theft, keylogging, and stealing files.

The development comes due to the revelation of a new malware named WogRAT that targets both Linux and Windows systems by exploiting an online notepad platform available for free named aNotepad as a place to host and retrieve malicious code. It also coincides with the phishing campaigns by a threat actor tracked as TA4903, who is financially motivated and steals corporate credentials via business email compromise (BEC) attacks.

Phishing campaigns are widely used by threat actors to propagate malware families such as Agent Tesla, DarkGate, and Remcos RAT, the third one known for utilizing steganographic decoys to deploy the malware on infected systems. It is important to stay vigilant from such malicious schemes and always check the URL before downloading an app.

Impact

• Sensitive Data Theft
• Keylogging
• Unauthorized Access

Indicators of Compromise

Domain Name

• join-skype.info
• online-cloudmeeting.pro
• us06webzoomus.pro

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Only download apps from official sources like Google Play and App Store.
• Always check if the URL is legitimate before downloading an app.
• Emails from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders.
• Patch and upgrade any platforms and software on time and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Use automated security scanning tools to analyze dependencies for known vulnerabilities or suspicious code.
• Provide training to developers and team members on secure coding practices, the risks of third-party dependencies, and the importance of code reviews.
• Implement access control measures on your code repositories to restrict who can contribute or make changes to the codebase.
• Maintain regular backups of your critical data to ensure data recovery in case of a security incident.
• Use antivirus and intrusion detection systems to help identify and block malicious activity.
• Implement network segmentation to limit the spread of malware or malicious activities within your network.
• Enforce strong password management practices for your systems and accounts.
• Implement MFA wherever possible to add an extra layer of security.