"Russia-Based Hackers FIN11 Impersonate Zoom to Conduct Phishing Campaigns"

Security researchers at Cyfirma have discovered that the threat actors known as FIN11 may have impersonated web download pages of the Zoom Application to conduct phishing campaigns against targets worldwide.  FIN11 was observed employing Zoom download pages to install an information stealer (Vidar) targeting a large attack surface.  The researchers also observed an IP address that was earlier associated with AsyncRAT.  The researchers stated that FIN11 has also lately been associated with Clop ransomware for post-compromise ransomware deployment and data theft extortion.  The researchers noted that this association with the ransomware group increases the possibility of compromised systems becoming potential ransomware victims.  The researchers stated that they discovered several fake Zoom Video Communications download pages, all of which had the Russian Federation as the registrant country for all the hosts.  From a technical standpoint, the threat actor delivered malicious Zoom applications through phishing URLs masquerading as legitimate Zoom websites and apps.  Upon execution of a malicious “Zoom.exe” file, the malware drops “Decoder.exe,” which acts as a downloader to download additional payloads (a remote access Trojan (RAT) and an information stealer) alongside the legitimate Zoom app setup.  The researchers noted that the injected MSBuild.exe also downloads dynamic link libraries (DLLs) related to information stealer Vidar.  In terms of the motive behind the attacks, the researchers believe they may be financial in nature.

Infosecurity reports: "Russia-Based Hackers FIN11 Impersonate Zoom to Conduct Phishing Campaigns"