Menace actors have been leveraging faux web sites promoting widespread video conferencing software program comparable to Google Meet, Skype, and Zoom to ship quite a lot of malware concentrating on each Android and Home windows customers since December 2023.
“The risk actor is distributing Distant Entry Trojans (RATs) together with SpyNote RAT for Android platforms, and NjRAT and DCRat for Home windows methods,” Zscaler ThreatLabz researchers mentioned.
The spoofed websites are in Russian and are hosted on domains that intently resemble their respectable counterparts, indicating that the attackers are utilizing typosquatting methods to lure potential victims into downloading the malware.
In addition they include choices to obtain the app for Android, iOS, and Home windows platforms. Whereas clicking on the button for Android downloads an APK file, clicking on the Home windows app button triggers the obtain of a batch script.
The malicious batch script is accountable for executing a PowerShell script, which, in flip, downloads and executes the distant entry trojan.
Presently, there isn’t a proof that the risk actor is concentrating on iOS customers, on condition that clicking on the button for the iOS app takes the person to the respectable Apple App Retailer itemizing for Skype.
“A risk actor is utilizing these lures to distribute RATs for Android and Home windows, which may steal confidential info, log keystrokes, and steal recordsdata,” the researchers mentioned.
The event comes because the AhnLab Safety Intelligence Heart (ASEC) revealed {that a} new malware dubbed WogRAT concentrating on each Home windows and Linux is abusing a free on-line notepad platform referred to as aNotepad as a covert vector for internet hosting and retrieving malicious code.
It is mentioned to be lively from at the very least late 2022, concentrating on Asian international locations like China, Hong Kong, Japan, and Singapore, amongst others. That mentioned, it is at present not recognized how the malware is distributed within the wild.
“When WogRAT is run for the primary time, it collects fundamental info of the contaminated system and sends them to the C&C server,” ASEC mentioned. “The malware then helps instructions comparable to executing instructions, sending outcomes, downloading recordsdata, and importing these recordsdata.”
It additionally coincides with high-volume phishing campaigns orchestrated by a financially motivated cybercriminal actor generally known as TA4903 to steal company credentials and sure comply with them with enterprise e-mail compromise (BEC) assaults. The adversary has been lively since at the very least 2019, with the actions intensifying put up mid-2023.
“TA4903 routinely conducts campaigns spoofing varied U.S. authorities entities to steal company credentials,” Proofpoint mentioned. “The actor additionally spoofs organizations in varied sectors together with building, finance, healthcare, meals and beverage, and others.”
Assault chains contain the usage of QR codes (aka quishing) for credential phishing in addition to counting on the EvilProxy adversary-in-the-middle (AiTM) phishing equipment to bypass two-factor authentication (2FA) protections.
As soon as a goal mailbox is compromised, the risk actor has been noticed trying to find info related to funds, invoices, and financial institution info, with the last word objective of hijacking current e-mail threads and performing bill fraud.
Phishing campaigns have additionally functioned as a conduit for different malware households like DarkGate, Agent Tesla, and Remcos RAT, the final of which leverages steganographic decoys to drop the malware on compromised hosts.
