Zoom Doom: When Your Teleconference Turns into a Malware Conference
In a not-so-typical Zoom meeting, a threat actor masquerades as a Zoom installer using d3f@ckloader to drop SectopRAT. After nine days of lurking, Cobalt Strike and Brute Ratel join the party. The grand finale? BlackSuit ransomware crashes the Windows systems, leaving IT teams wishing they’d just clicked “Leave Meeting.”
Hot Take:
Why did the cybercriminal install a fake Zoom? Because they couldn’t find a fake Microsoft Teams! In a world where the line between legitimate software and malware is thinner than my patience for passwords, this latest cyber shenanigan is a reminder that even our Zoom meetings aren’t safe. Watch out for those Zoom installers, folks, they might just be installing a new kind of “meeting” on your hard drive!
Key Points:
- A fake Zoom installer drops SectopRAT, which leads to deploying Cobalt Strike and Brute Ratel.
- Lateral movement achieved using remote services and RDP, facilitated by QDoor malware.
- Exfiltration of files via WinRAR and upload to the cloud app Bublup.
- Final deployment of BlackSuit ransomware across Windows systems using PsExec.
- DFIR Labs offers comprehensive analysis services on such cybersecurity incidents.
Already a member? Log in here