These fake Zoom websites want to trick you into downloading malware

Make sure you’re downloading a legitimate version of Zoom

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

If you’re looking to download thevideo conferencingplatform Zoom, make sure you double-check the internet address you’re downloading from, because there are plenty of fake websites out there spreading all kinds of nasty viruses and malware.

Researchers from Cyble have been investigating reports of a widespread campaign targeting potentialZoomusers, and have so uncovered six fake install sites that host various infostealers and othermalwarevariants.

One of the infostealers uncovered was Vidar Stealer, capable of stealing banking information, storedpasswords, browser history, IP addresses, details about cryptocurrency wallets and, in some cases, MFA information, as well.

Multiple campaigns

“Based on our recent observations, [criminals] actively run multiple campaigns to spread information stealers,” the researcherssaid. “Stealer Logs can provide access to compromised endpoints, which are sold on cybercrime marketplaces. We have seen multiple breaches where stealer logs have provided the necessary initial access to the victim’s network.”

The six sites uncovered are zoom-download[.]host; zoom-download[.]space, zoom-download[.]fun, zoomus[.]host, zoomus[.]tech, and zoomus[.]website and, according toThe Register, are still operational.

Your Microsoft Teams or Zoom calls could be getting hacked in a really bizarre way>Zoom is adding its own tiny metaverse for private meetings>Check out the best antivirus software around

The visitors would be redirected to a GitHub URL that shows which applications they can download. If the victim chooses the malicious one, they receive two binaries in the temp folder: ZOOMIN-1.EXE and Decoder.exe. The malware also injects itself into MSBuild.exe and pulls IP addresses hosting the DLLs, as well as configuration data, it was said.

“We found that this malware had overlapping Tactics, Techniques, and Procedures (TTPs) with Vidar Stealer,” the researchers wrote, adding that, like Vidar Stealer, “this malware payload hides the C&C IP address in the Telegram description. The rest of the infection techniques appear to be similar.”

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

The best way to avoid this malware is to double-check where you’re getting your Zoom programs from.

Via:The Register

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

Anker Nebula Mars 3 review: A powerful and truly portable projector