"Skype, Google Meet, and Zoom Used in New Trojan Scam Campaign"
According to security researchers at Zscaler, a threat actor has been distributing remote access Trojans (RATs) on Android and Windows operating systems using online meeting lures. The researchers noted that this campaign has been ongoing since at least December 2023. The distributed RATs include Android-focused SpyNote RAT, Windows-focused NjRAT, and DCRat. The researchers said that to lure the victims into downloading the RATs, the threat actor created several fake online meeting sites, impersonating brands like Microsoft-owned Skype, Google Meet, and Zoom. All of the fake websites were in Russian. The researchers noted that the attacker utilized shared web hosting services to host all these websites on a single IP address. The first one was created in early December 2023 with a URL that resembles the legitimate Skype URL. When a user visits one of the fake sites, clicking on the Android button initiates the download of a malicious APK file, while clicking on the Windows button triggers the download of a BAT file, a script in Windows that automates tasks. When executed, this BAT file performs additional actions, ultimately leading to the download of a RAT payload. The researchers noted that an Apple App Store button is also available in some cases. However, this button redirects to "https://go.skype.com/skype.download.for.phone.iphone," indicating that the threat actor was not targeting iOS users with malware. The three RATs hosted by the threat actor, SpyNote RAT, NjRAT, and DCRat, can steal confidential information and files and log keystrokes.
Infosecurity Magazine reports: "Skype, Google Meet, and Zoom Used in New Trojan Scam Campaign"