New malware is spreading disguised as a legitimate zoom app

When Cyble Research and Intelligence Labs (CRIL) was performing routine threat hunting exercises, he came across a tweet mentioning the creation of many fake Zoom sites, which caught the attention of researchers.

There are many similarities in the user interfaces of these sites. The purpose of these sites is to infect people with malware disguised as a legitimate Zoom application, using this site as a vehicle to spread malware.

After conducting further investigation, cyber security analysts found out that Vidar Stealer is being spread on these sites. Vidar is a malicious program that steals information from its victims including the following data:-

  • Bank information
  • Saved passwords
  • IP addresses
  • Browser history
  • Login credentials
  • Crypto-wallets

The Arkei thief is connected to this thief, meaning the two are linked.

Fake Zoom Sites

the Web

There are a number of fake Zoom sites currently being used by threat actors, including the following:-

  • zoom-download[.]host
  • zoom-download[.]space
  • zoom-download[.]fun
  • zoom in[.]host
  • zoom in[.]technology
  • zoom in[.]website

A malicious application is downloaded from the backend of fake sites by accessing this GitHub URL:-

  • https[:]//github[.]com/sgrfbnfhgrhthr/csdvmghfmgfd/raw/main/

In the temporary folder of the target machine, the malicious application drops two binaries which are:-

Chain of infection

A malicious .NET binary named Decoder.exe is injected into MSBuild.exe and executes hackers’ code in order to steal information from the machine.

MSBuild (Microsoft Build Engine) is a platform used to build applications built using the .NET Framework. While the ZOOMIN~1.EXE file is a clean file and it only runs the genuine Zoom installer.

Injecting the malware into MSBuild.exe allows it to retrieve IP addresses associated with DLLs and configuration information hosted there.

Subsequently, the malware receives configuration data from command and control servers, as well as DLLs. In order to remove itself from the victim’s device, the malware uses the following command line arguments after successfully running the following commands:-

  • C:WindowsSystem32cmd.exe” /c taskkill /im MSBuild.exe /f & timeout /t 6 & del /f /q
  • “C:WindowsMicrosoft.NETFrameworkv4.0.30319MSBuild.exe” and delete C:PrograData*.dll and exit


Below we have mentioned all the recommendations provided by the security experts:-

  • The use of warez/torrent websites should be avoided if you want to avoid downloading pirated software.
  • Make sure your password is strong.
  • Where possible, ensure that multi-factor authentication is implemented.
  • Make sure your mobile phone, computer, and other internet-connected devices are set to update automatically.
  • It’s important to use a reputable anti-virus program on all devices you connect to the Internet.
  • You are advised not to open untrustworthy links or attachments without first verifying that the links and attachments are genuine.
  • You need to educate employees on how to safely handle information such as phishing emails and untrusted URLs.
  • To prevent the spread of malware, block URLs that could be used for this purpose.
  • In order to prevent data exfiltration by malware, the beacon must be monitored at the network level.

Free Download SWG – Secure Web Filtering – E-book

Comments are closed.