Risk actors have been leveraging faux web sites promoting standard video conferencing software program resembling Google Meet, Skype, and Zoom to ship quite a lot of malware focusing on each Android and Home windows customers since December 2023.
“The risk actor is distributing Distant Entry Trojans (RATs) together with SpyNote RAT for Android platforms, and NjRAT and DCRat for Home windows methods,” Zscaler ThreatLabz researchers said.
The spoofed websites are in Russian and are hosted on domains that carefully resemble their legit counterparts, indicating that the attackers are utilizing typosquatting tips to lure potential victims into downloading the malware.
Additionally they include choices to obtain the app for Android, iOS, and Home windows platforms. Whereas clicking on the button for Android downloads an APK file, clicking on the Home windows app button triggers the obtain of a batch script.
The malicious batch script is liable for executing a PowerShell script, which, in flip, downloads and executes the distant entry trojan.
Presently, there isn’t a proof that the risk actor is focusing on iOS customers, provided that clicking on the button for the iOS app takes the consumer to the legit Apple App Retailer itemizing for Skype.
“A risk actor is utilizing these lures to distribute RATs for Android and Home windows, which might steal confidential data, log keystrokes, and steal information,” the researchers mentioned.
The event comes because the AhnLab Safety Intelligence Heart (ASEC) revealed {that a} new malware dubbed WogRAT focusing on each Home windows and Linux is abusing a free on-line notepad platform known as aNotepad as a covert vector for internet hosting and retrieving malicious code.
It is mentioned to be energetic from at the least late 2022, focusing on Asian international locations like China, Hong Kong, Japan, and Singapore, amongst others. That mentioned, it is at the moment not recognized how the malware is distributed within the wild.
“When WogRAT is run for the primary time, it collects fundamental data of the contaminated system and sends them to the C&C server,” ASEC said. “The malware then helps instructions resembling executing instructions, sending outcomes, downloading information, and importing these information.”
It additionally coincides with high-volume phishing campaigns orchestrated by a financially motivated cybercriminal actor referred to as TA4903 to steal company credentials and certain observe them with enterprise e mail compromise (BEC) assaults. The adversary has been energetic since at the least 2019, with the actions intensifying submit mid-2023.
“TA4903 routinely conducts campaigns spoofing numerous U.S. authorities entities to steal company credentials,” Proofpoint said. “The actor additionally spoofs organizations in numerous sectors together with development, finance, healthcare, meals and beverage, and others.”
Assault chains contain using QR codes (aka quishing) for credential phishing in addition to counting on the EvilProxy adversary-in-the-middle (AiTM) phishing package to bypass two-factor authentication (2FA) protections.
As soon as a goal mailbox is compromised, the risk actor has been noticed trying to find data related to funds, invoices, and financial institution data, with the last word objective of hijacking current e mail threads and performing bill fraud.
Phishing campaigns have additionally functioned as a conduit for other malware families like DarkGate, Agent Tesla, and Remcos RAT, the final of which leverages steganographic decoys to drop the malware on compromised hosts.