Zoom Impersonation Infection Tied to FIN11
Category: Threat Actor Activity | Industry: N/A | Level: Tactical | Source: Cyfirma
The CYFIRMA research team analyzed the Zoom impersonation campaign used to spread Vidar information-stealing malware. With moderate confidence CYFIRMA links the activity with the Russian financially motivated threat group, FIN11. The infection chain was also reported by Cyble Research and Intelligence Labs (CRIL). At least six web domains were identified to facilitate the campaign, and all were hosted in Russia masquerading as the Zoom video application. Impersonating the most downloaded business application since the COVID-19 pandemic has been an increasingly popular avenue for threat actors used in phishing and drive-by compromise campaigns. Whilst the threat profile for FIN11 has previously included industries in financial, hospitality, and retail, the present campaign is a chance to widen the group's circle. In the infection chain, when a user attempts to download the fake Zoom application it provides a malicious archive file containing executables dropping into the user's TEMP folder. Upon making connections to the attacker's command and control, an encoded PowerShell command will execute to create a child process of MSBuild.exe to inject a malicious payload. Through the injected process, the threat actors will download the necessary DLL files for Vidar information-stealing malware. Vider information stealer is capable of stealing user credentials, banking information, browser history, and information from crypto-wallets.
- Malicious Archive Runs Payloads Leading to Persistence/C2
Anvilogic Use Cases:
- Compressed File Execution
- Executable Process from Suspicious Folder
- Rare Remote Thread