A fake Zoom installer is making the rounds, luring unsuspecting users into downloading malware which quietly takes over their systems.
Think twice before installing Zoom from an unfamiliar site, because it might just hand over your data to cybercriminals.
Cybersecurity researchers have identified a new threat in the wild: a fake Zoom installer that tricks unknowing users into downloading malicious software by using a Zoom-like website.
DFIR security researchers warn that Windows users could fall victim to the notorious BlackSuit ransomware, known to be targeting schools, the healthcare sector, and other critical services.
Once inside, the malware sits dormant for days before unleashing a full-scale attack, scraping sensitive data, encrypting files, and demanding a ransom.
How does the fake Zoom installer take over your system?
Before clicking or downloading anything, it’s always a good idea to pay attention to the details. In this case, the URL of the dubious website is zoommanager[.]com, revealing that it is not the official site belonging to Zoom Video Communications managing the video conferencing tool.
After pressing the link, a malicious loader is downloaded to the victim's device, which stays invisible to security tools. It disables Windows Defender for its files and hides them.
The malware connects to a Steam Community page to find the next stage server address and downloads two archive files. The malware hides its tracks – one of the downloaded files is the real Zoom installer, while the other contains the malicious software.
After execution, the malware secretly injects itself into a Microsoft process (MSBuild.exe), and stays inactive for eight days before launching its next stage.
On the ninth day, it executes new malware, runs Windows commands to gather system information, and then deploys Cobalt Strike – a powerful hacking tool used to spread across the network. Attackers also install a QDoor tool that lets them remotely control computers by routing traffic through a domain controller.
After gaining control, the malware compresses important fields and downloads them from the victim's device. The final step includes deploying Blacksuit ransomware across all Windows systems, which encrypts files and leaves a ransom note demanding payment.
BlackSuit ransomware remains a serious threat
According to analysis, the BlackSuit ransomware operation emerged in early April or May 2023. The gang is known for ruthlessly targeting the healthcare and education sectors, along with other critical industries.
At the beginning of 2024, the gang targeted South Carolina’s Kershaw County School District (KCSD), alleging that it had stolen 17GB worth of files. The district serves more than 11,000 students from kindergarten to 12th grade, spans 19 schools – including nine elementary schools – and has over 1,300 employees.
In June 2024 numerous dealerships across the US faced a significant computer system outage due to a ransomware attack against their software provider, CDK Global.
The retailers were forced to use pen and paper for their registry.
The BlackSuit ransomware cartel was behind the attack, with rumors spreading that CDK Global paid the ransom to restore services.
The same month, the infamous gang attacked the Kansas Police Department (KCKPD). As claimed on their dark website, the KCKPD refused to pay ransom, leading to cybercriminals releasing police-related data.
They included an extensive data list, from payroll data to homicide crime scene photos and evidence room information, fingerprint database, and other sensitive details.
If that wasn’t enough, the gang also claimed to have breached Kansas City Hospice, a non-profit organization that provides end-of-life care and support services to patients and their families in the Kansas City area.
Ransomlooker, a Cybernews dark web monitoring tool indicates that the Hospice was added to BlackSuit's victim list on October 19th.
A software solutions provider, Young Consulting, now known as Connexure, was also targeted by the gang.
The company notified nearly a million individuals in the US that their names and other personal identifiers were leaked in a data breach that the gang claimed on May 7th.
Your email address will not be published. Required fields are markedmarked