CRIL analyzed the malware deployed by the fake sites and established that it was Vidar Stealer, a malicious code that has links to the Arkei stealer.
Vidar is designed to steal information from an infected device, including:
Here is a list of fake Zoom sites to avoid:
How Vidar Malware Works
The deceiving sites redirect users to this GitHub URL to download a malicious application: https[:]//github[.]com/sgrfbnfhgrhthr/csdvmghfmgfd/raw/main/Zoom.zip
The malicious application, upon execution, drops two binaries in the temporary folder:
A malicious .NET binary named Decoder.exe is injected into MSBuild.exe and executes the hackers’ code in order to steal information from the machine.
MSBuild (Microsoft Build Engine) is a platform that is used to create applications that are built using the .NET Framework. While the ZOOMIN~1.EXE file is a clean file and it executes the genuine Zoom installer only.
Andreea is a digital content creator within Heimdal® with a great belief in the educational power of content. A literature-born cybersecurity enthusiast (through all those SF novels…), she loves to bring her ONG, cultural, and media background to this job.