Hackers can trick Windows users into joining fake Zoom meetings, downloading fake updates that silently install workforce analytics software used by companies to monitor staff activities, according to Malwarebytes. The security firm says it observed malicious activity attempts in the wild: not a single antivirus program flags it, while hackers can gain broad visibility.
Update: Teramind sent the following comment: “Teramind is not affiliated with the threat actors described, did not deploy the software referenced, and condemns any unauthorized misuse of commercial monitoring technologies.”
Malwarebytes Labs is sounding the alarm about hackers potentially abusing legitimate corporate surveillance software. These workforce analytics tools help employees to monitor staff, but in the hands of attackers, they may enable eavesdropping on unsuspecting victims.
Hackers can log every keystroke, take screenshots, record web browsing and app usage history, capture clipboard contents, and track email and file activity.
“Fake Zoom meeting “update” silently installs surveillance software,” the Malwarebytes‘ report on the new malicious campaign reads.
The attackers had created a fake, convincing meeting website with a website address uswebzoomus[.]com.
If the targets click on malicious links, they land on a convincing imitation of a Zoom waiting room for a video call. The scripted scenario adds fake participants one by one, mimicking Zoom's join chime. The conversation can be heard in the background. However, the audio is choppy, and the video lags, which is deliberate.
Then, 10 seconds into this glitchy, frustrating call, the hardcoded “Network Issue” alert pops up, permanently prompting the user to download an update.
“A visitor sitting through a broken call will naturally assume something is wrong with the app. When an Update Available prompt appears moments later, it feels like the fix,” the Malwarebytes researchers noted.
There is no close button, just a five-second counter after which the browser is instructed to automatically and silently download a file. Parallelly, the malicious “Zoom” website redirects the victim to another fake website, imitating “Microsoft Store” and “Zoom Workplace” mid-installation.
The installer lands in the downloads folder without asking permission at any point. It only takes around 30 seconds to infect unsuspecting users.
No antivirus solution flags the tool
The 103.8 MB package named after “zoom_agent_x64” has zero detections on VirusTotal.
The downloaded file is actually a preconfigured installer for one workforce analytics tool – the software used by companies to monitor employees on company-owned computers. The agent is configured to communicate with a remote server instance controlled by threat actors. Malwarebytes explained that hackers abused a legitimate commercial monitoring tool that companies use to monitor employee activity on work computers.
“The installer executes through Windows Installer without presenting a typical interactive consumer installation interface. The target being set up as a surveillance target has no idea it is happening,” Malwarebytes explains.
The report doesn’t specify how the installation begins and whether the users need to run the file.
According to the security firm, the specific workforce tracking tool has a dedicated “stealth mode” deployment option, which is specifically designed so the agent runs with no visible presence. The targets don’t see any icon in the taskbar, no entry in the system tray, and no trace in the list of installed programs.
The software assembles itself in stages. The installer detects if it’s running in a sandbox environment and behaves differently in that situation.
“Once installation completes, the installer removes its temporary files and staging folders. That means by the time someone checks the machine, obvious traces of the installer may already be gone. The monitoring agent itself, however, continues running in the background,” the researchers said.
Hackers abusing legitimate software is known as living off the land technique, and attackers have leveraged many popular platforms in the past.
The use of legitimate workforce monitoring tools can make cyberattacks especially dangerous. Instead of writing custom malware, hackers deploy a professionally developed commercial product designed to persist and run reliably.
“Because the files themselves belong to legitimate software, traditional antivirus tools that look only for known malicious code may not flag them,” Malwarebytes explains.
The surveillance software installed without consent fits into the “stalkerware” category. Previous reports have found that security tools have blind spots for this type of software.
Malwarebytes shared instructions on how to check the computer for unwanted installation, the packages can be found in File Explorer with “Hidden items” view enabled. Follow the firm's guidance in the report on how to check for running services.
The firm also recommends that anyone who suspects their device has been compromised change their passwords and clean the device.
Updated on February 25th [09:15 a.m. GMT] with a statement from Teramind.
Unlock exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked