Zoom-themed cyber attacks fuel rapid malware growth

Cyber attacks that lure victims with themes around popular video conferencing service Zoom have helped increase malware growth, with one named Vidar becoming more popular in rapid time.

Vidar occupies position number eight, up seven places from August, in Check Point Research’s (CPR) Global Threat Index for September 2022. The CPR report found that although Formbook, an infostealer targeting Windows OS that currently affects 3% of organisations around the world, is still the most prevalent malware, the steep rise of Vidar is notable.

Vidar is an infostealer designed to give threat actors backdoor access, allowing them to steal sensitive banking information, login credentials, IP addresses, browser history, and crypto wallets from infected devices.

The increase in its prevalence comes after a malicious campaign in which fake Zoom websites, like zoomus[.]website and zoom-download[.]space, were used to lure users into downloading the malware.

“In terms of the most prevalent malwares in September, it’s interesting to see Vidar leap into the top ten after a long absence,” said Maya Horowitz, VP of research at Check Point. “Users of Zoom need to stay alert to fraudulent links as this is how the Vidar malware has been distributed lately. Always keep an eye out for inconsistencies or misspelt words in URLs. If it looks suspicious, it probably is.”

Formbook was the most prevalent malware this month impacting 3% of organisations worldwide, followed by XMRig and AgentTesla which both impact 2% of organisations globally.

Formbook was first detected in 2016 and is marketed as a malware as a service (MaaS) operation in underground hacking forums. It's known for having substantial anti-detection capabilities and a relatively low price.

The malware harvests credentials from various web browsers, collects screenshots, monitors, and logs keystrokes. It can also download and execute files according to orders from its command and control infrastructure (C2).

XMRig, on the other hand, is open source CPU software used to mine Monero cryptocurrency. Threat actors often abuse this open-source software by integrating it into their malware to conduct illegal mining on victim’s devices, according to Check Point.

Additionally, AgentTesla is an advanced RAT functioning as a keylogger and information stealer. It’s capable of monitoring and collecting a victim’s keyboard input, system keyboard, taking screenshots, and exfiltrating credentials to a variety of software installed on a victim’s machine (including in Google Chrome, Mozilla Firefox, and the Microsoft Outlook email client).

The type of vulnerability most exploited this month was a 'web server exposed git repository information disclosure, impacting 43% of organisations globally. Successful exploitation of this flaw can facilitate the unintentional disclosure of account information in the impacted product.

This was followed by Log4Shell which dropped from first place to second and impacted 42% of organisations. It was discovered late last year and sent shockwaves through the security community due to how many organisations were believed to be exposed.