Spoofed Zoom, Google & Skype Meetings Spread Corporate RATs

A threat actor is creating fake Skype, Google Meet, and Zoom meetings, mimicking these popular collaboration applications to spread various commodity malware that can steal sensitive data from both Android and Windows users.

The campaign, which began in December, demonstrates an emerging cybersecurity threat for corporate users, researchers from Zcaler's ThreatLabz revealed in a blog post on March 6. The attackers are using shared Web hosting to host fake online meeting sites on a single IP address, leveraging various URLs that are convincingly similar enough to the actual websites of the services being impersonated. The Skype campaign, for instance, used "join-skype[.]info," while Google Meet users were enticed to join meetings via "online-cloudmeeting[.]pro." The Zoom campaign uses "us06webzoomus[.]pro."

The threat actors are using the gambit to deliver widely available payloads to attack cross-platform users, wielding the Android-focused SpyNote RAT, and the NjRAT and DCRat, which compromise Windows users, the researchers said.

"A threat actor is using these lures to distribute RATs for Android and Windows, which can steal confidential information, log keystrokes, and steal files," ThreatLabz researchers Himanshu Sharma, Arkaprva Tripathl, and Meghraj Nandanwar wrote in the post on the campaign.

The efforts to lure users with Skype and Google Meet began in December, and the attacker started impersonating Zoom in January.

Spoofed Meeting Invites Offer Click-to-Compromise

Just as each campaign has its own lure, so each attack vector was unique in its execution, with some similarities between then. In the Skype campaign, the link leads Windows users to a file named Skype8.exe, a malicious executable disguised as a Skype download, while those clicking on the link via Google Play were pointed to the malicious file Skype.apk. Both files ultimately deliver a malicious payload.

The fake Google Meet site provides links to download a fake Skype application for Android (in actuality, the SpyNote RAT) and/or Windows (a BAT file that downloads the DCRat payload).

The fake Zoom site is a bit different in that it uses an extra trick to try to fool users, presenting a link with a subpath that closely resembles a meeting ID generated by the Zoom client.

There also is a similarity between the fake Google Meet and Zoom websites in that they both also contain an open directory with two additional Windows executable files — driver.exe and meet.exe — hiding NjRAT.

"The presence of these files suggests that the attacker may utilize them in other campaigns, given their distinct names," the researchers noted.

Protecting Business Users from Evolving Cyber Threats

To protect themselves, it's important that enterprises take measures "to protect against advanced and evolving malware threats," according to ThreatLabz.

To that end, the researchers stressed the importance of regular updates and security patches to give attackers fewer entry points to compromise users. They also included in the post a list of specific MITRE ATT&CK techniques triggered during the sandbox analysis process conducted during the research.