Russia-Based Hackers FIN11 Impersonate Zoom to Conduct Phishing Campaigns

Written by

The threat actors known as FIN11 (and Clop) may have impersonated web download pages of the Zoom Application to conduct phishing campaigns against targets worldwide.

The news comes from cybersecurity company Cyfirma, which published a new advisory about the threat on Wednesday.

“This threat actor is known for conducting a large–scale campaign using impersonated web applications,” reads the technical blog post.

“In this case, FIN11 was observed employing Zoom download pages to install an information stealer (Vidar) targeting a large attack surface. We also observed an IP address that was earlier associated with AsyncRAT.”

Further, the security experts said that the Russia–based threat actor FIN11 has also lately been associated with Clop ransomware for post–compromise ransomware deployment and data theft extortion. 

“This association with the ransomware group increases the possibility of compromised systems becoming potential ransomware victims,” Cyfirma wrote.

In its latest investigation, the cybersecurity firm said it discovered several fake Zoom Video Communications download pages, all of which had the Russian Federation as the registrant country for all the hosts.

From a technical standpoint, the threat actor delivered malicious Zoom applications through phishing URLs masquerading as legitimate Zoom websites and apps. 

Upon execution of a malicious “Zoom.exe” file, the malware drops “Decoder.exe,” which acts as a downloader to download additional payloads (a remote access Trojan (RAT) and an information stealer) alongside the legitimate Zoom app setup, the advisory explained. The injected MSBuild.exe also downloads dynamic link libraries (DLLs) related to information stealer Vidar.

In terms of the motive behind the attacks, Cyfirma said it believes they may be financial in nature.

“The Cyfirma research team believes with moderate confidence that financially motivated FIN11 is behind this campaign involving fake download pages of popular web applications used worldwide,” reads the advisory.

A list of indicators of compromise (IOCs) connected with FIN11 is available in the technical write–up. Its publication comes months after Five Eyes Agencies included systems compromised by FIN11 in a list of the most exploited vulnerabilities of 2021.

What’s hot on Infosecurity Magazine?