Watch out - these fake websites advertising Google Meet, Skype, and Zoom are just spreading malware

This method is also known as “typosquatting”, and relies on the fact that many people won’t spot a “typo” in the URL, and will believe they are on the legitimate site instead of a malicious one.

Sites in Russian

The websites pretend to host video conferencing software, such as Google Meet and the likes. The software offers download links for Windows, Android, and iOS. However, while the iOS link doesn’t do anything malicious (it redirects the users to the actual product), the Android and Windows deliver malware. For Android, it’s nothing more than an APK, but for Windows, it initiates the download of a batch script.

That batch executes a PowerShell script, which downloads and runs one of a few remote access trojans (RAT) spotted in the campaign - Spynote RAT (Android), NjRAT, or DCRat (Windows).  

The campaign has been active since December 2023, with the researchers adding that the spoofed sites are Russian, indicating that the threat actors are either Russian themselves, or simply targeting Russian consumers.

"The threat actor is distributing Remote Access Trojans (RATs) including SpyNote RAT for Android platforms, and NjRAT and DCRat for Windows systems," they added.

The RATs can be used for a wide array of malicious activities, from stealing sensitive information from the devices, to logging keystrokes, and exfiltrating files. The methods of promoting these websites is unknown, but it is safe to assume that there is a phishing campaign active somewhere on the internet, and that the sites are being actively promoted on social media and various online forums.

Via TheHackerNews

More from TechRadar Pro

• This nasty trojan uses Discord as a command and control server
• Here's a list of the best firewalls around today
• These are the best endpoint security tools right now