. Photo illustration
Jakarta, Spasi-id.com - applied work from home or Work From Home (WFH). By all the companies around the world, due to the impact of covid-19, it made videos conference applications like Zoom more popular.
However, also online criminals use this situation to commit fraud.
Many online criminals make fake websites out there to spread all kinds of viruses and malware. This is known to be the first time that researchers from Cyble have found a vast campaign targeting Zoom's users.
Cyble is a global cyberintelligence pioneer, where they've found six fake sites that contain various infostelations-- malware trying to steal information and other malware variants.
One of the researchers found is a Vidar Stealer, who was able to steal banking information, saved passwords, browser history, IP addresses, details about cryptocurency wallets and other information.
"Based on our recent observations, (villain) actively ran several campaigns to spread information thieves," reveal the Cyble researchers.
"The Thief Log can provide access to the compromised endpoint, which is sold in the cyber crime market. We've seen many violations in which the thief log has provided the necessary preliminary access to the victims' network," his impound.
TechRadar Melting, Monday, September 26, researchers found six addresses, zoom- download (dot) host, zoom- download (dot) space, zoom- download (dot) fun, zoomus (dot) host, zoomus (dot) host, zoomus (dot) tech, and zoomus (dot) website. Claimed until now everything is operational.
When opening the website, the visitors will be directed to the GitHub URL which shows which applications they can download.
However, if visitors get caught clicking fake applications, they will receive two binary in the temp folder: ZOOMIN- 1.EXE and Decoder.exe.
In addition, the malware also injects itself to MSBuild.exe and pulls an IP address that is inhabiting DLL as well as configuration data.
"We found that this malware has Tactics, Technoques, and Procedures overlap with Vidar Stealer. (Like Vidar Stealer) This payload malware hides an IP address C & C in a Telegram description. Infection techniques seem similar,
Lastly according to researchers, there's no other way to avoid this malware unless ZOM users are required to recheck where they got their Zoom apps and be careful when clicking on suspicious links.
