Campaign Overview

The attacker utilized shared web hosting, hosting all these fake online meeting sites on a single IP address. All of the fake sites were in Russian as shown in all the figures below. In addition, the attackers hosted these fake sites using URLs that closely resembled the actual websites.      
 

Attack Sequence

The diagram below illustrates how the malware was distributed and executed on the victim’s machine during the campaign: 

Figure 1: Attack chain and execution flow for Android and Windows campaigns.

When a user visits one of the fake sites, clicking on the Android button initiates the download of a malicious APK file, while clicking on the Windows button triggers the download of a BAT file. The BAT file when executed performs additional actions, ultimately leading to the download of a RAT payload.     
 

Skype

During our investigation, we discovered that the first fake site, join-skype[.]info, was created in early December to deceive users into downloading a fake Skype application as shown in Figure 2.

Figure 2: The fraudulent Skype website, with a fake domain meant to resemble the legitimate Skype domain. (Image courtesy of urlscan.io.)

The Windows button pointed to a file named Skype8.exe and the Google Play button pointed at Skype.apk (neither of these files was available at the time of analysis). The Apple App Store button redirected to https://go.skype.com/skype.download.for.phone.iphone, indicating that the threat actor was not targeting iOS users with malware. 

Google Meet

In late December, the attacker created another fake site, online-cloudmeeting[.]pro, mimicking Google Meet as shown in Figure 3. The fake Google Meet site was hosted on online-cloudmeeting[.]pro/gry-ucdu-fhc/ where the subpath gry-ucdu-fhc was deliberately created to resemble a Google Meet joining link. Genuine Google Meet invite codes typically follow the structure [a-z]{3}-[a-z]{4}-[a-z]{3}.

The fake site provides links to download a fake Skype application for Android and/or Windows. The Windows link leads to a BAT file named updateZoom20243001bit.bat, which in turn downloads the final payload named ZoomDirectUpdate.exe. This final payload is a WinRAR archive file that contains DCRat, packed with Eziriz .NET Reactor.

Figure 3: The fake Google Meet page, showing the fraudulent domain in the address bar for a fake Google Meet Windows application link to a malicious BAT file that downloads and executes malware.

The Android link in this figure led to a SpyNote RAT APK file named meet.apk.

Zoom

In late January, we observed the emergence of a fake Zoom site (shown in Figure 4), us06webzoomus[.]pro. The fake Zoom site, hosted at the URL us06webzoomus[.]pro/l/62202342233720Yzhkb3dHQXczZG1XS1Z3Sk9kenpkZz09/, features a subpath that closely resembles a meeting ID generated by the Zoom client. If a user clicks the Google Play link, a file named Zoom02.apk will be downloaded containing the SpyNote RAT. Similar to the fake Google Meet site, when a user clicks the Windows button it downloads a BAT file, which in turn downloads a DCRat payload.

Figure 4: The fake Zoom page, showing a domain similar to the real Zoom domain in the address bar and a link to the malicious APK file that contains SpyNote RAT when the Google Play button is clicked.