Beware of Fake Zoom Installers: BlackSuit Ransomware Campaign Targeting Businesses

Cybercriminals are constantly developing sophisticated methods to infiltrate networks and compromise sensitive data. A recent alarming trend involves fake Zoom installers being used to distribute the dangerous BlackSuit ransomware. This blog post examines the attack method, associated risks, and critical mitigation strategies your organization should implement immediately.

  The Attack: How Fake Zoom Installers Spread BlackSuit Ransomware

According to recent security research by DFIR, hackers are creating convincing clone websites that mimic the official Zoom download page. One specific malicious domain identified in this campaign is “zoommanager[.]com” – distinctly different from Zoom’s official download page at “zoom[.]us/download”. When users visit these fake sites and click on download buttons, they unknowingly install malware instead of the legitimate Zoom application.

The attack specifically targets Windows users with BlackSuit ransomware, which has become notorious for targeting schools, healthcare organizations, and other critical service providers.

  How The Attack Works: A Multi-Stage Process

The attack sequence is particularly sophisticated:

1. Initial Access: Users download what appears to be a Zoom installer from a fake website, but it’s actually malware created with Inno Setup.
2. Stealth Mode: The downloaded file contains a d3f@ck loader that creates exclusions in Windows Defender and marks directories as hidden, preventing detection.
3. Deception: The malware connects to a Steam Community page to obtain an IP address for command and control. It then downloads two archives – one containing the legitimate Zoom installer (which runs to avoid suspicion) and another containing IDAT loader with SectopRAT malware.
4. Dormant Period: After injection into MSBuild.exe, the malware establishes command and control communication but remains inactive for eight days to evade detection.
5. Activation: On the ninth day, the malware activates, executing new malware components including Cobalt Strike, a powerful hacking tool used to spread across networks.
6. Lateral Movement: The attackers gain access to domain controllers and deploy tools like QDoor to create proxy tunnels that facilitate remote access. They use this access to steal data by compressing targeted file shares into archives and exfiltrating them using cloud services like Bublup.
7. Ransomware Deployment: Finally, the attackers download and deploy BlackSuit ransomware across all Windows systems using PsExec, encrypting files, deleting shadow copies, and leaving ransom notes.

  The Significant Risks

The BlackSuit ransomware operation emerged in early 2023 and has become known for targeting critical sectors including healthcare, education, and law enforcement. Recent victims include:

• Kershaw County School District in South Carolina (early 2024)
• CDK Global, a software provider for auto dealerships (June 2024)
• Kansas City Police Department (June 2024), where the gang released sensitive police data after ransom demands were rejected
• Kansas City Hospice, a non-profit organization providing end-of-life care

The risks to your organization include:

• Data theft and extortion
• Operational disruption
• Financial losses from ransom payments and recovery costs
• Reputational damage
• Potential regulatory penalties for data breaches

  Essential Mitigation Strategies

To protect your organization from this and similar threats:

1. Verify Download Sources: Always download Zoom and other applications directly from official websites. For Zoom specifically, use zoom[.]us/download rather than clicking links from emails or search results.
2. Implement Security Awareness Training: Educate employees about phishing techniques and the importance of verifying websites before downloading software.
3. Deploy Comprehensive Security Solutions: Use modern antivirus software with regular updates across all devices.
4. Enforce Application Control Policies: Limit which applications can be installed, especially on corporate devices.
5. Implement Network Segmentation: Restrict lateral movement opportunities for attackers who manage to gain initial access.
6. Maintain Regular Backups: Keep offline backups of critical data to mitigate the impact of ransomware.
7. Monitor Network Traffic: Deploy network monitoring solutions to detect suspicious activity, especially command and control traffic that may indicate compromise. Look for indicators like unauthorized connections to unusual domain names or IP addresses.
8. Apply Zero Trust Principles: Verify all users and devices attempting to access resources, regardless of their location.

 How CinchOps Can Help Secure Your Business

At CinchOps, we understand the evolving threat environment and provide comprehensive security solutions to protect your organization from sophisticated attacks like the BlackSuit ransomware campaign.

Our services include:

1. Advanced Endpoint Protection: Our solutions can detect and prevent malware like the fake Zoom installer before it can establish a foothold in your network.
2. Security Awareness Training: We provide customized training programs to educate your employees about the latest threats and best practices for staying secure.
3. Network Monitoring and Threat Detection: Our 24/7 security operations center monitors your network for suspicious activities and responds quickly to potential threats.
4. Vulnerability Management: We regularly scan your systems for vulnerabilities and help you prioritize and address them before attackers can exploit them.
5. Incident Response Planning: We help you develop and test incident response plans so you’re prepared if an attack occurs.
6. Backup and Recovery Solutions: We implement robust backup strategies to ensure your data remains accessible even in the face of ransomware attacks.
7. Security Policy Development: We help you establish and enforce security policies that reduce your risk exposure.

Discover more about our enterprise-grade and business protecting cybersecurity services on our Cybersecurity page.

Don’t wait until your organization becomes the next victim of sophisticated malware campaigns. Contact CinchOps today to schedule a security assessment and learn how we can help strengthen your defenses against emerging cyber threats.

FREE CYBERSECURITY ASSESSMENT