If you want to get the video conferencing platform Zoom (opens in a new tab) then make sure you double-check the internet address from which you''ve been downloading, since there are a tumultuous website out there that has a wide variety of nasty viruses and malware.
Cyble researchers have investigated reports of a large campaign targeting potential Zoom users, and have now discovered six fake installation sites that are used for informations and other malicious functions.
Vidar Stealer, who has been identified as a potential informationstealer, was capable of stealing banking information, stored passwords, browser history, IP addresses, information about cryptocurrency wallets, and, in some instances, MFA information.
"We have seen multiple breaches where stealer logs have provided the necessary initial access to the victim''s network," the researcher said. "In response to our recent observations, [criminals] are deploying diverse actions to promote information stealers," the researchers said (opens in a new tab). "Stealer Logs can provide access to compromised endpoints, which are sold on cybercrime marketplaces. We have seen several breaches where stealer logs have provided the necessary initial access to the victim''s network."
The six sites uncovered are zoom-download[.]host; zoom-download[.]space, zoom-download[.]fun, zoomus[.]host, zoomus[.]tech, and zoomus[.]website, according to The Register.
Visitors to the GitHub URL will be subjected to two binaries in the temp folder: ZOOMIN-1.EXE and Decoder.exe. The malware also integrates into MSBuild.exe and draws IP addresses, as well as configuration information.
"We found that this malware had overlapping Tactics, Techniques, and Procedures (TTPs) with Vidar Stealer," researchers said, adding that, like Vidar Stealer, "this malware payload hides the C&C IP address in the Telegram description. The rest of the infection techniques appar to them."
The best way to avoid this malware is to double-check where youre getting your Zoom programs.