If you want to download the video conferencing platform Zoom, be very careful about where you get it from online, as there are many phony sites that spread malware and viruses.
Cyble researchers looking into reports of a widespread campaign targeting potential Zoom users have so far uncovered six fake install sites that host various infostealers and other malware variants.
Vidar Stealer was discovered as one of the infostealers, and it could steal things like passwords, browser history, IP addresses, information about cryptocurrency wallets, and even multi-factor authentication (MFA) data in some cases.
Criminals "actively run multiple campaigns to spread information stealers," the researchers said, citing their own recent findings. "Obtaining access to compromised endpoints, which are then sold on cybercrime marketplaces, is possible with the help of Stealer Logs. Multiple breaches have been reported where stealer logs were used to gain initial access to the victim's network."
The Register reports that all six of these sites—zoom-download[.]host, zoom-download[.]space, zoom-download[.]fun, zoomus[.]host, zoomus[.]tech, and zoomus[.]website—are live and actively spreading malware.
Visitors would be taken to a GitHub URL displaying downloadable applications. A pair of executables, ZOOMIN-1.EXE and Decoder.exe, are dropped into the temporary folder should the victim select the malicious option. The malicious software is said to inject itself into MSBuild.exe, harvest IP addresses hosting the DLLs, and steal configuration settings.
"Researchers found that "this malware payload hides the C&C IP address in the Telegram description," similar to what Vidar Stealer does. There doesn't appear to be much difference between the other infection methods."
To avoid this malware, be wary of where you download your Zoom programs from.