Cybersecurity analysts have identified a campaign using a fake Zoom installer to spread BlackSuit ransomware on Windows systems. DFIR experts report that attackers are tricking users into downloading malware disguised as legitimate software, leading to severe network disruptions.
BlackSuit Ransomware
The attack started with a fake website resembling Zoom’s official domain, tricking users into downloading a file named “Zoom_v_2.00.4.exe.”
The deceptive website mimicked Zoom’s interface, tricking users into downloading what appeared to be the official software. Instead, the installer initiated a multi-stage malware attack.
Built using Inno Setup, a legitimate tool, it delivered “d3f@ckloader,” a Pascal-based downloader. Once executed, the malware bypassed security measures, deployed additional payloads, and carried out malicious activities.
The Multi-Stage Attack Chain
Stage 1: Initial Access and Evasion
After running the fake installer, victims unknowingly triggered batch scripts that:
- Disabled Windows Defender by adding exclusions.
- Downloaded additional payloads from remote sources like Steam Community pages and Pastebin.
Stage 2: Malware Deployment
The installer deployed:
- A legitimate Zoom installer to avoid suspicion.
- An IDAT loader, which later injected SectopRAT (a remote access trojan) into the “MSBuild.exe” process.
SectopRAT remained dormant for nine days, allowing attackers to evade detection while gathering intelligence. On the ninth day, it activated Brute Ratel and later deployed the Cobalt Strike toolkit for post-exploitation.
The attacker used QDoor malware and RDP for lateral movement, employing proxies for secure command tunneling. After accessing file servers and domain controllers, they compressed data with WinRAR and exfiltrated it via Bublup.
In the final stage, the attacker deployed BlackSuit ransomware using PsExec, encrypting files and rendering systems unusable. It deleted shadow copies to prevent recovery, locked users out of their data, and dropped ransom notes demanding payment for decryption. The entire operation took about nine days.
How to Protect Yourself
This campaign highlights the need to be cautious when downloading software, especially from unofficial sources. Here are key steps to defend against such attacks:
- Only download software from trusted sources and verify website URLs.
- Use advanced malware detection tools that can spot multi-stage attacks like BlackSuit.
- Regularly update security protocols and train employees to recognize phishing and suspicious downloads.
- Backup sensitive data and use offline storage to protect against ransomware.
- Monitor network traffic for unusual connections to external IPs or platforms like Telegram and Steam.
This campaign shows how threat actors exploit popular software like Zoom to attack organizations and demand ransom. Security teams must stay proactive, using awareness and strong cybersecurity measures to defend against evolving threats like BlackSuit ransomware.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment