The Zscaler ThreatLabz team recently discovered a threat actor creating fraudulent Skype, Google Meet, and Zoom websites to spread malware. The threat actor spreads Remote Access Trojans (RATs) including SpyNote RAT to Android users and NjRAT and DCRat to Windows users, which can steal confidential information, log keystrokes, and steal files.
The attacker utilized shared web hosting, hosting all these fake online meeting sites on a single IP address. All of the fake sites were in Russian as shown in all the figures below. In addition, the attackers hosted these fake sites using URLs that closely resembled the actual websites.
Attack Sequence
The diagram below illustrates how the malware was distributed and executed on the victim’s machine during the campaign:
When a user visits one of the fake sites, clicking on the Android button initiates the download of a malicious APK file, while clicking on the Windows button triggers the download of a BAT file. The BAT file when executed performs additional actions, ultimately leading to the download of a RAT payload.
The Zscaler sandbox played a vital role in analyzing the behavior of different files. The sandbox analysis allowed us to identify threat scores and pinpoint specific MITRE ATT&CK techniques that were triggered during the analysis process.
The research demonstrates that businesses may be subject to threats that impersonate online meeting applications. In this example, a threat actor is using these lures to distribute RATs for Android and Windows, which can steal confidential information, log keystrokes, and steal files. The findings highlight the need for robust security measures to protect against advanced and evolving malware threats and the importance of regular updates and security patches.
As cyber threats continue to evolve and become increasingly complex, it is critical to remain alert and take proactive measures to protect against them. Zscaler’s ThreatLabz team continues to monitor these threats and share their findings.
For details read the blog post: https://www.zscaler.com/blogs/security-research/android-and-windows-rats-distributed-online-meeting-lures .
