Hackers are, once again, impersonating major tech brands to trick people into downloading malware to their computers, experts have warned.
Cybersecurity researchers from the Zscaler ThreatLabz recently discovered a new campaign, in which unidentified threat actors created countless websites whose URL is almost identical to actual websites belonging to the likes Google, Skype, and Zoom.
This method is also known as “typosquatting”, and relies on the fact that many people won’t spot a “typo” in the URL, and will believe they are on the legitimate site instead of a malicious one.
Sites in Russian
The websites pretend to host video conferencing software, such as Google Meet and the likes. The software offers download links for Windows, Android, and iOS. However, while the iOS link doesn’t do anything malicious (it redirects the users to the actual product), the Android and Windows deliver malware. For Android, it’s nothing more than an APK, but for Windows, it initiates the download of a batch script.
That batch executes a PowerShell script, which downloads and runs one of a few remote access trojans (RAT) spotted in the campaign – Spynote RAT (Android), NjRAT, or DCRat (Windows).
The campaign has been active since December 2023, with the researchers adding that the spoofed sites are Russian, indicating that the threat actors are either Russian themselves, or simply targeting Russian consumers.
“The threat actor is distributing Remote Access Trojans (RATs) including SpyNote RAT for Android platforms, and NjRAT and DCRat for Windows systems,” they added.
The RATs can be used for a wide array of malicious activities, from stealing sensitive information from the devices, to logging keystrokes, and exfiltrating files. The methods of promoting these websites is unknown, but it is safe to assume that there is a phishing campaign active somewhere on the internet, and that the sites are being actively promoted on social media and various online forums.
Via TheHackerNews