Since December 2023, cyber threat actors have been exploiting fake websites that advertise popular video conferencing software like Google Meet, Skype, and Zoom to distribute various types of malware. These malicious sites, designed to look like the legitimate platforms, are primarily targeting Android and Windows users.
The researchers have identified that these sites are hosting Remote Access Trojans (RATs), including SpyNote RAT for Android and NjRAT and DCRat for Windows systems. The spoofed websites are predominantly in Russian and use domains that closely mimic the legitimate ones, indicating that the attackers are employing typosquatting tactics to trick users into downloading malware.
The fake sites offer download options for Android, iOS, and Windows apps. Clicking on the Android download button initiates the download of an APK file, while clicking on the Windows app button triggers the download of a batch script. The batch script then executes a PowerShell script, which downloads and runs the remote access trojan.
There is currently no evidence to suggest that iOS users are being targeted, as clicking on the iOS app button redirects users to the legitimate Apple App Store listing for Skype.
“The threat actor is using these lures to distribute RATs for Android and Windows, which can steal confidential information, log keystrokes, and steal files,” the researchers noted.
Meanwhile, the other researcher has uncovered a new malware called WogRAT, which targets both Windows and Linux systems. WogRAT is utilizing a free online notepad platform called aNotepad to host and retrieve malicious code, with activity dating back to at least late 2022, primarily targeting Asian countries such as China, Hong Kong, Japan, and Singapore.
In a separate development, TA4903, a financially motivated cybercriminal actor, has been orchestrating high-volume phishing campaigns aimed at stealing corporate credentials, potentially followed by business email compromise (BEC) attacks. Active since at least 2019, TA4903 frequently impersonates various U.S. government entities and organizations in sectors like construction, finance, healthcare, and food and beverage.
These phishing campaigns also serve as a conduit for other malware families, including DarkGate, Agent Tesla, and Remcos RAT. Remcos RAT, in particular, employs steganographic decoys to drop malware on compromised hosts.
To prevent falling victim to malware distributed through fake video conferencing sites, it’s crucial to always verify the legitimacy of the website before downloading any software. Ensure that the website’s URL is correct and matches the official URL of the video conferencing platform. Additionally, only download software from official app stores or websites to minimize the risk of downloading malicious files.