A state-sponsored threat group is running a large-scale attack campaign involving fake versions of Zoom, cybersecurity researchers have claimed.
The large-scale dissemination of the fake video conferencing app brought the campaign to the attention of Kaspersky, which believes it is being run by China-based LuminousMoth threat group to spy on targets in South East Asia.
“In some cases, this [the initial break-in] was followed by deployment of a signed, but fake version of the popular application Zoom, which was in fact malware enabling the attackers to exfiltrate files from the compromised systems,” notes Kaspersky.
We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and you can also choose to enter the prize draw to win a $100 Amazon voucher or one of five 1-year ExpressVPN subscriptions.
According to its investigation, Kaspersky believes the campaign dates back to at least October 2020, and has hit about a hundred victims in Myanmar, and well over a thousand in the Philippines.
Despite the large number of targets, the researchers believe that only a small percentage was of interest to the threat actors, and were exploited further.
The researchers note that the attack has two infection vectors. It begins with phishing emails with political undertones that lure users into downloading infected zipped archives that contain malicious .DLL files. Once infected, the malware will then copy itself onto any USB drives attached to the compromised system.
The real intent of the attack though is to exfiltrate data from the victim’s computer. In some of the compromised systems in Myanmar, Kaspersky noted that the stealer deployed by the threat actors impersonates Zoom, although its real intent is to find files with certain extensions and transfer them to a command and control (C2) server.