Earlier today, I came across a phishing email that purported to be Zoom asking you to download “security software”. I did some investigation and on the surface, there were some serious alarm bells that I noted. I decided to dig deeper to see what the intent was behind this phishing email and I think I found it. Thought it took me some time to get there.
First of all, I can confirm that this is a highly dangerous Zoom installer that will not be detected by any anti-virus program. Nothing that I tossed at it would detect it. That’s very bad.
On top of that, it seems to have the ability to evade my VM to avoid analysis. Thus I had to take it to a real PC that I use for testing this sort of thing as I can restore it easily and it doesn’t sit on my main network. And after looking at it for three hours, I can say that what it appears to do is as follows:
- It seems to monitor certain registry keys / values for changes. I am guessing that this is done to protect autostart functionality.
- It appears to go to sleep. I assume that this is to make it harder to analyze.
- It seems to have some functionality that isn’t enabled yet as there appears to be a portable executable that isn’t currently running, but was added by this software.
- It runs checks on the volume name of the device that it is on. It also scans the file system. That implies that it is looking for files that it can steal.
- It changes any Windows certificates that it comes across.
- It looks like it has the ability to phone home as it occasionally pings several IP addresses that I was able to capture on my network monitoring tools.
That implies that whomever came up with this is a highly advanced threat actor. This would also qualify as spyware in my mind. And the kicker is that the Zoom functionality seems to still work. So the best way to not get pwned by this is to never download it and install it.
Now, if you run Zoom in your enterprise, the best way to ensure your Zoom users never trip over this is to turn on the ability to force updates to Zoom. This document will help you with that. And I will warn you that your users will not be happy about this. But this combined with user education about phishing emails like this one are the best way to defend against this sort of attack. If you’re an average user, you should only do updates via the app via the “Check For Updates” function. And of course, if you get an email like the one that I discovered earlier today, you should always delete it and never interact with it.
Like this:
Like Loading...
Related
This entry was posted on February 28, 2023 at 4:13 pm and is filed under Commentary. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
A Follow Up To The Highly Dangerous Zoom Phishing Email
Earlier today, I came across a phishing email that purported to be Zoom asking you to download “security software”. I did some investigation and on the surface, there were some serious alarm bells that I noted. I decided to dig deeper to see what the intent was behind this phishing email and I think I found it. Thought it took me some time to get there.
First of all, I can confirm that this is a highly dangerous Zoom installer that will not be detected by any anti-virus program. Nothing that I tossed at it would detect it. That’s very bad.
On top of that, it seems to have the ability to evade my VM to avoid analysis. Thus I had to take it to a real PC that I use for testing this sort of thing as I can restore it easily and it doesn’t sit on my main network. And after looking at it for three hours, I can say that what it appears to do is as follows:
That implies that whomever came up with this is a highly advanced threat actor. This would also qualify as spyware in my mind. And the kicker is that the Zoom functionality seems to still work. So the best way to not get pwned by this is to never download it and install it.
Now, if you run Zoom in your enterprise, the best way to ensure your Zoom users never trip over this is to turn on the ability to force updates to Zoom. This document will help you with that. And I will warn you that your users will not be happy about this. But this combined with user education about phishing emails like this one are the best way to defend against this sort of attack. If you’re an average user, you should only do updates via the app via the “Check For Updates” function. And of course, if you get an email like the one that I discovered earlier today, you should always delete it and never interact with it.
Share this:
Like this:
Related
This entry was posted on February 28, 2023 at 4:13 pm and is filed under Commentary. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.