Skype, Google Meet, and Zoom Used in New Trojan Scam Campaign

Researchers at Zscaler have disclosed details on a campaign that has been ongoing since at least December 2023, where actors are distributing remote access trojans on Android and Windows operating systems with the help of fraudulent Skype, Google Meet, and Zoom websites. These sites seem to be hosted on a single IP address and closely resemble the actual websites being impersonated. Unsuspecting users visiting the sites are deceived into initiating a download for a fake application masquerading as the above-mentioned vendors. Clicking on the download button results in the execution of a BAT file which is designed to download the final payload which in this case is SpyNote RAT to Android users and NjRAT and DCRat to Windows users.

Security Officer Comments:
The latest campaign has yet to be attributed to a particular threat group. According to researchers, the websites are in Russian, indicating that an actor based in Russia is behind the fake websites. These sites use a URL naming convention that includes the names of the applications being impersonated, making it easier to trick unsuspecting end users. Given that trojans like NjRAT and DCRat are being used to infect victims, the actors can steal confidential information and log keystrokes which can be used in further attacks such as account compromises.

Suggested Corrections:
In general, users should be careful when browsing the web and avoid downloading applications from shady sites. Closely examining the URL and web contents can help identify such sites. Before downloading software or applications online, scanning it with Antivirus solutions like ESET can also aid in deterring potential malware infections.

Zscalar has published a set of TTPs and IOCs for the latest campaign which can be used for detection purposes: