Fake Zoom Sites Spreading Vidar Stealer
During a routine threat hunting exercise, Cyble Research and Intelligence Labs (CRIL) came across a tweet where a researcher mentioned the creation of multiple fake Zoom sites. All these sites have the same user interface. These sites are created with the express intent of spreading malware disguised as the legitimate Zoom application.
During further investigation, we discovered that these sites were spreading Vidar Stealer. Vidar is an Information Stealing malware that steals the victim’s banking information, saved passwords, IP addresses, browser history, login credentials, and crypto-wallets. This stealer has links to the Arkei stealer. The figure below shows the Fake Zoom Site.
The fake Zoom sites which are currently in use include:
The site redirects to the following GitHub URL in the backend to download the malicious application.
https[:]//github[.]com/sgrfbnfhgrhthr/csdvmghfmgfd/raw/main/Zoom.zip. The figure below shows the redirects that occurred in the backend.
Upon execution, the malicious application drops two binaries in the temporary folder :
Decoder.exe is a malicious .NET binary that injects the malicious stealer code into MSBuild.exe. Microsoft Build Engine (MSBuild) is a platform used to build applications. ZOOMIN~1.EXE is a clean file that launches the legitimate Zoom installer.
The figure below shows the Process Tree of the malicious application.
After being injected into MSBuild.exe, the malware extracts the IP addresses that host the DLLs and configuration data. The malware uses the below mentioned URLs to extract the IP addresses if anyone of them are online.
The figure below shows the malware’s network activity.
Threat Actors (TA) have used this technique to hide Command and Control (C&C) IP addresses. The figure below shows the IP present on the profile description of Telegram user “@karacakahve” and user ID “@tiagoa96” on ieji.de.
The malware receives the configuration data and DLLs from the C&C servers at this stage. The figure below displays the network activity with the C&C server.
We found that this malware had overlapping Tactics, Techniques, and Procedures (TTPs) with Vidar Stealer. In comparison with our previous analysis of Vidar Stealer, this malware Payload hides the C&C IP address in the Telegram description. The rest of the infection techniques appear to be similar.
The figure below shows the Hardcoded stealer strings.
Upon successful execution, the malware uses the following commands to uninstall itself from the victim’s device.
“C:\Windows\System32\cmd.exe” /c taskkill /im MSBuild.exe /f & timeout /t 6 & del /f /q
“C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe” & del C:\PrograData\*.dll & exit
Based on our recent observations, TAs actively run multiple campaigns to spread information stealers. Stealer Logs can provide access to compromised endpoints, which are sold on cybercrime marketplaces. We have seen multiple breaches where stealer logs have provided the necessary initial access to the victim’s network. This campaign appears to target Zoom users. We suggest identifying the legitimacy of the source before downloading any executables.
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the suggestions given below:
- Avoid downloading pirated software from warez/torrent websites. The “Hack Tool” present on sites such as YouTube, torrent sites, etc., contains such malware.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices.
- Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without first verifying their authenticity.
- Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.
- Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|Credential Access||T1555 |
|Credentials from Password Stores |
Steal Web Session Cookie
|Account Discovery |
System Service Discovery
System Location Discovery
|Command and Control||T1095||Non-Application Layer Protocol|
|Exfiltration||T1041||Exfiltration Over C&C Channel|
Indicators of Compromise (IoCs):
|Malicious Zoom Application|