Experts have warned that hackers are once again impersonating big tech brands to trick people into downloading malware on their computers.
Cybersecurity researchers at Zscaler ThreatLabz recently discovered a new campaign in which unidentified threat actors created countless websites whose URLs are almost identical to real websites belonging to companies like Google, Skype, and Zoom.
This method is also known as “typosquatting” and relies on the fact that many people will miss a “typo” in the URL and believe they are on a legitimate site rather than a malicious one.
Russian sites
The websites purport to host video conferencing software, such as Google Meet and the like. The software offers download links for Windows, Android and iOS. However, while the iOS link doesn't do anything malicious (it redirects users to the real product), Android and Windows deliver malware. For Android, it is nothing more than an APK, but for Windows, it initiates the download of a batch script.
That batch runs a PowerShell script, which downloads and executes one of the few Remote Access Trojans (RAT) detected in the campaign: Spynote RAT (Android), NjRAT, or DCRat (Windows).
The campaign has been active since December 2023, and researchers added that the spoofed sites are Russian, indicating that the threat actors are Russian or simply targeting Russian consumers.
“The threat actor is distributing Remote Access Trojans (RATs), including SpyNote RAT for Android platforms and NjRAT and DCRat for Windows systems,” they added.
RATs can be used for a wide range of malicious activities, from stealing sensitive information from devices to logging keystrokes and extracting files. The methods of promoting these websites are unknown, but it is safe to assume that there is an active phishing campaign somewhere on the Internet and that the sites are being actively promoted on social media and various online forums.
Through TheHackerNews