A new phishing campaign employs a highly convincing, five-stage attack flow designed to steal user credentials under the guise of a Zoom video conference. The process involves deception techniques, multi-domain infrastructure, and secure real-time data exfiltration mechanisms to enhance stealth and bypass common security controls.
Severity Level: High
VULNERABILITY OVERVIEW:
- Infection Chain:
- Stage 1 – Phishing Email:
- The phishing emails use urgent subject lines like “Missed Zoom Call” or “Urgent Meeting Request” to prompt quick, impulsive clicks from busy professionals.
- Users receive an email containing a malicious link, leading them to a fake Zoom interface.
- The email may use urgent language or scheduled meeting notifications to create a sense of urgency, encouraging users to act quickly without verifying the source.
- Stage 2 – Visual Deception:
- The webpage simulates a Zoom loading screen, followed by a pre-recorded video of a “live meeting” with visible participants, increasing credibility.
- The pre-recorded video of “participants” may include fake names and avatars, reinforcing the illusion of legitimacy by mirroring typical enterprise meeting environments.
- Stage 3 – Fake Disconnection Prompt:
- A sudden “Fake disconnection lost notification” or “Session Expired” message tricks the user into thinking a session error occurred.
- A fraudulent disconnection message appears, prompting users to re-enter login credentials.
- Stage 4 – Credential Harvesting:
- Users are shown a realistic-looking login form that mimics Zoom or corporate SSO pages.
- The form may redirect to a real Zoom page after credential entry to reduce suspicion, allowing attackers to harvest data without raising immediate red flags.
- Stage 5 – Data Exfiltration:
- Stolen credentials are transmitted via the Telegram API, allowing attackers to receive data in real-time using legitimate communication channels that often evade detection.
Infrastructure & Techniques:
- Domain Usage:
- Tracking and phishing URLs are hosted via cirrusinsight[.]com subdomains, making the links appear legitimate and trusted to end users.
- Fake meeting pages are served from r2[.]dev (Cloudflare R2), leveraging a reliable cloud service that is less likely to be flagged as malicious.
- Command and Control (C2):
- Attackers use the Telegram API for stealthy command and control (C2) communication, which often bypasses traditional firewalls and endpoint security tools due to its widespread legitimate use.
- This method allows for real-time data exfiltration and immediate access to stolen credentials through bots or channels.
MITRE ATT&CK:
| Tactic | Technique | ID | Details |
| Reconnaissance | Phishing for Information | T1598.002 | Adversaries craft emails to trick users into clicking malicious links. |
| Resource Development | Acquire Infrastructure | T1583.001 | Use of legitimate cloud services (e.g., r2.dev, cirrusinsight.com) for hosting. |
| Initial Access | Phishing | T1566.002 | Spearphishing via link directing users to a spoofed Zoom page. |
| Execution | User Execution | T1204.001 | Victims execute by clicking a link and interacting with fake prompts. |
| Persistence | Abuse of Legitimate Services | T1550.002 | Use of Telegram API as a persistent, covert exfiltration channel. |
| Credential Access | Input Capture | T1056.001 | Fake login prompt captures user credentials. |
| Collection | Data from Information Repositories | [T1213] | Collected credentials from user input. |
| Command and Control | Application Layer Protocol: Web Protocols | T1071.001 | Telegram API used over HTTPS to evade detection and communicate with C2. |
| Exfiltration | Exfiltration Over Web Service | T1567.002 | Exfiltrating data via Telegram, a legitimate web service. |
| Defense Evasion | Obfuscated Files or Information | [T1027] | Use of pre-recorded videos, spoofed interfaces, and legit domains to evade detection. |
Recommendations:
- Educate users to verify Zoom URLs and avoid re-authenticating from popups or prompts in meetings.
- Monitor for unusual outbound traffic to Telegram API endpoints.
- Implement multi-factor authentication (MFA) to reduce the impact of compromised credentials.
- Block the IOCs at their respective controls: https://www.virustotal.com/gui/collection/40c35230cac379cebf731beb69d4ea881619ff0c36309e7eacf27ae2f5f9024a/iocs.
Source:
- https://cybersecuritynews.com/new-phishing-attack-mimic-as-zoom-meeting-invites/
- https://x.com/SpiderLabs/status/1924424257083179462
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn
No related posts found.