Hackers are once again posing as big tech brands to trick people into downloading malware onto their computers, experts warn.
Cybersecurity researchers at Zscaler ThreatLabz recently discovered a new campaign in which unidentified threat actors created numerous websites whose URLs are nearly identical to actual websites from the likes of Google, Skype and Zoom.
Also known as ‘typosquatting’, this method is based on the fact that many people will not notice a ‘typo’ in the URL and will think they are on the legitimate site rather than a malicious one.
Sites in Russian
The websites pretend to host video conferencing software such as Google Meet and the like. The software provides download links for Windows, Android and iOS. While the iOS link doesn’t do anything malicious (redirects users to the actual product), Android and Windows deliver malware. For Android it is nothing more than an APK, but for Windows it initiates the download of a batch script.
That batch runs a PowerShell script, which downloads and runs one of the few remote access trojans (RAT) spotted in the campaign: Spynote RAT (Android), NjRAT, or DCRat (Windows).
The campaign has been active since December 2023, with the researchers adding that the spoofed sites are Russian, indicating that the threat actors are either Russian themselves or are simply targeting Russian consumers.
“The threat actor distributes Remote Access Trojans (RATs), including SpyNote RAT for Android platforms, and NjRAT and DCRat for Windows systems,” they added.
The RATs can be used for a wide range of malicious activities, from stealing sensitive information from the devices to logging keystrokes and exfiltrating files. The methods used to promote these websites are unknown, but it is safe to assume that a phishing campaign is active somewhere on the Internet and the sites are actively promoted on social media and various online forums.
Through The HackerNews