Rewterz Threat Alert – Alarming Rise in Fake Zoom App Websites for Malvertising via Google Search – Active IOCs

Severity

High

Analysis Summary

Researchers have observed a recent increase in the number of malicious ads on Google Search for the keyword “Zoom”, which is a commonly used video conferencing software. These campaigns are most likely targeting cryptocurrency users and IT administrators evident from the different keywords used.

Two prominent campaigns were observed abusing Google Ads. One of them delivers a previously unknown loader dubbed HiroshimaNukes, which drops another payload made to steal sensitive user data. The other campaign is propagating FakeBat loader where the attackers were seen tracking their victims using a new panel called Hunting Panel 1.40. FakeBat is mostly used by cybercriminals as the initial access vector.

The threat actors utilize various fake identities to create different advertiser accounts. Some of these ads have different advertiser IDs yet the infrastructure used in the backend is the same. They also use existing advertising accounts with thousands of already-posted ads, which indicates that the threat actors may have compromised legitimate user accounts to use in the campaign.

Cybersecurity experts said, “While we don’t know how many people may have fallen for these Zoom malvertising campaigns, we can say that the number of ads and their positioning was prominent enough to generate a substantial amount of traffic.”

The technique attackers are using in the malvertising campaign is tracking templates as a way to hide the redirection mechanism, which makes the URL seem like a legitimate Zoom website. They leverage services like AppsFlyer and HYROS to redirect unsuspecting users to their malicious websites.

HiroshimaNukes is a new piece of malware that uses various techniques for evading detection from security solutions, such as DLL side-loading to large payloads. Its end goal is to deliver additional malware, usually a stealer for data exfiltration.

Users who search Google for Zoom are shown top sponsored results that the threat actor abuses to target them. When a victim clicks on the ad, it redirects to an actor-controlled domain capable of checking the visitor’s IP address, then again redirects either to the legitimate Zoom website or a fake Zoom website depending on certain conditions. The targeted users who are redirected to the malicious website see a page that looks like a copy of the real Zoom website. This way, users are tricked into downloading a file named “ZoomInstaller.zip” which is extracted to reveal one executable file and several DLL files.

DLL side-loading is a technique that attackers use for detection evasion. It involves replacing a legitimate DLL file used by a program with a malicious one with the same name. There is also a legitimate binary named “_Zoom.exe” that is signed by Zoom Video Communications, Inc. Once the main application is launched, it automatically loads the DLL file without needing to validate it.

The HiroshimaNukes dropper spawns a new executable file that tries to evade detection using its size as it is filled with junk code. By examining its strings, it becomes clear that it is a stealer with a focus on cryptocurrency wallets. Meanwhile, the FakeBat loader payload used in the campaign has an interesting update to it as the threat actors are tracking victims using a control panel called Hunting Panel 1.40 which has never been used before.

The installer comes with various files but the real malicious components are stored in the PowerShell scripts, which allows for higher infection chances than using a traditional malware binary. These scripts are Base64-encoded and reveal the malware’s C2 server along with other commands that are used for sending system information and installed security software details and a GPG-encrypted payload that is decoded while the script is running. Malvertising is gaining popularity among threat actors as a privileged initial access vector because they can bypass security checks.

Impact

• Sensitive Information Theft
• Cryptocurrency Theft
• Financial Loss

Indicators of Compromise

MD5

• 174ff2e9b7a6b77382a5de6cf6f8a877
• a9c40b7581be75e006436c5b22495909
• c472ef3ec4601641025ecdaa02c4e004
• 7d27ed94ba01dc9c2761af0ed84c616f
• 5d17a2fd052a801ee0d881f85a81a793

SHA-256

• 30fda67726f77706955f6b52b202452e91d5ff132783854eec63e809061a4b5c
• 5b917d04d416cafaf13ed51c40b58dc8b4413483ea3f5406b8348038125cad0b
• dcb80bd21bd6900fe87423d3fb0c49d8f140d5cf5d81b662cd74c22fca622893
• 44cac5bf0bab56b0840bd1c7b95f9c7f5078ff417705eeaaf5ea5a2167a81dd5
• 462df2e4a633e57de0d5148060543576d7c1165bf90e6aec4183f430d8925a1c

SHA-1

• afcb6d65145288d8d8397c006c837dcf176dba01
• ce6a3b5d8cd553dfd114551fd61dc58628581ea7
• 4ed90e706c53f023ab536fbe74294a8607f6fb4f
• c2d9ecb9e0496dd21e636a77fac370325b8ae6ef
• 89f1c6d16ce506c358ab65743dde6ffaf6ccfe04

Domain Name

• zoom-us.tech
• z00nn.one-platform-to-connect.group
• info-zoomapp.com
• zoomnewsonly.site
• promoapp-zoom.com
• 2311foreign.xyz

URL

• http://zoom-us.tech/ZoomInstaller.zip
• http://youstorys.com/fonts/Zoom-x64.msix
• http://windows-rars.shop/bootstrap/Zoom-x64.msix
• http://scheta.site/apps.store/ZoomInstaller.msix
• http://winkos.net/ld/zm.tar.gpg

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Implement a web application firewall to filter out malicious traffic and protect against common web-based threats. 
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Be vigilant and thoroughly check the URL to see if it’s legitimate before downloading apps.