FlagThis

A recent cyberattack campaign has been uncovered, highlighting the use of a malicious Zoom installer to deploy BlackSuit ransomware. Threat actors are exploiting users by distributing a weaponized Zoom installer through a cloned website, ultimately gaining remote desktop protocol (RDP) access to targeted systems. This sophisticated intrusion begins when unsuspecting users download the fake installer, initiating a multi-stage malware deployment.

The malicious installer deploys a loader that downloads additional payloads, including SectopRAT malware, used for reconnaissance and credential harvesting. After a dwell period, threat actors then deploy Brute Ratel and Cobalt Strike for lateral movement across the network. The attackers exfiltrate data and ultimately distribute the BlackSuit ransomware, encrypting files and leaving ransom notes. This incident underscores the evolving tactics of cybercriminals who combine social engineering with advanced malware techniques to evade detection and maximize the impact of their attacks.

ImgSrc: securityonline.

References :

• Cyber Security News: Hackers Exploit Zoom Installer to Gain RDP Access and Launch BlackSuit Ransomware Attack
• gbhackers.com: Weaponized Zoom Installer Used by Hackers to Gain RDP Access and Deploy BlackSuit Ransomware
• Osint10x: Fake Zoom Ends in BlackSuit Ransomware
• securityonline.info: Fake Zoom, Real Ransom: Nine-Day Malware Intrusion Ends with BlackSuit Ransomware Blast

Classification:

• HashTags: #BlackSuit #Ransomware #Zoom
• Company: Microsoft
• Target: Corporate Environments
• Attacker: Storm-0249
• Product: Zoom
• Feature: Ransomware Deployment
• Malware: BlackSuit
• Type: Ransomware
• Severity: Disaster