Look Out for Malware-Delivering Spoofing Websites for Skype, Zoom, and Google Meet

Since December 2023, threat actors have been using fictitious websites that promote well-known video conferencing apps like Zoom, Skype, and Google Meet to spread a range of malware that targets users of Windows and Android.

“The threat actor is distributing Remote Access Trojans (RATs) including SpyNote RAT for Android platforms, and NjRAT & DCRat for Windows systems,” the researchers at Zscaler ThreatLabz reported.

The fact that the spoof websites are housed on domains that closely resemble authentic websites and are written in Russian suggests that the attackers are employing typosquatting techniques to deceive potential victims into downloading the malware.

They also include links to download the app for Windows, iOS, and Android. Clicking the Windows app button initiates the download of a batch script, whereas clicking the Android button downloads an APK file. The remote access Trojan infection is downloaded and executed via a PowerShell script that is run by the malicious batch script.

Since tapping the iOS app's button directs users to Skype's official Apple App Store listing, there is currently no proof that the threat actor is focusing on iOS users. “A threat actor is using these lures to distribute RATs for Android and Windows, which can steal confidential information, log keystrokes, and steal files,” according to the investigators.

This development coincides with the discovery by the AhnLab Security Intelligence Center (ASEC) of a new malware known as WogRAT that targets both Linux and Windows. WogRAT leverages the open-source “aNotepad” platform inappropriately, using it as a stealthy way to store and retrieve malicious code.

According to reports, it will begin operating at least in late 2022 and will primarily target Asian nations such as China, Hong Kong, Japan, and Singapore. Nevertheless, how the malware spreads in the wild is currently unknown.

Upon first execution, WogRAT gathers the compromised system's fundamental data and transmits it to the command and control server. Next, the malware is capable of carrying out commands, transmitting outcomes, downloading files, and uploading these data, stated ASEC.

Additionally, it aligns with massive phishing campaigns that are being coordinated by TA4903, a financially motivated cybercriminal actor, in an attempt to get corporate credentials and possibly use them in conjunction with Business Email Compromise (BEC) attacks. The enemy has been engaged in activity since at least 2019, and by mid-2023, their efforts will likely accelerate.

“TA4903 frequently runs campaigns to steal business credentials by impersonating different U.S. government agencies. In addition, the actor parodies businesses in several industries, such as banking, healthcare, food and beverage, and construction,” stated Proofpoint. To get beyond Two-Factor Authentication (2FA) security, attack chains utilize the EvilProxy Adversary-in-the-Middle (AitM) phishing kit in addition to QR codes for credential phishing.

With the ultimate goal of taking over active email threads and committing invoice fraud, the threat actor has been seen looking for information about payments, invoices, and bank details after they have gained access to a target mailbox. Phishing campaigns have also served as a distribution channel for other malware families, such as Remcos RAT & DarkGate.