Abnormal Attack Stories: Zoom Malware

April 16, 2020

Abnormal Security

Abnormal Security

In this attack, attackers are posing as external employees and asking recipients to schedule a Zoom meeting with them by checking their schedule in an attachment that almost certainly contains malware.

Quick Summary

  • Platform: Office 365
  • # Mailboxes: More than 50,000
  • Email Gateway: Proofpoint
  • Email Security: Office 365
  • Victims: Employees
  • Payload: Malicious Link
  • Technique: Impersonation, Email Spoofing

What was the attack?

  • Setup: This attack leverages the current COVID-19 pandemic, as companies and their employees transition to working from home, online video calling and conferencing software is becoming increasingly popular. Attackers are taking advantage of this transitionary period to send out fake virtual meeting requests designed to install malware on victim’s devices or phish their credentials.
  • Email Attack: This attacker crafted an email that appears to come from a legitimate external employee, asking for a virtual meeting with the user. The attacker urges recipients to check the attachment for their available hours and key points to discuss.
  • Payload: The email contains an attachment that conceivably contains relevant information for a virtual meeting with the sender. However, the file (.slk, an outdated Microsoft Excel import format) is actually malware that will infect the victim’s device if opened.
  • Result: Should recipients fall victim to this attack, malware will be installed on the user’s device, enabling the attacker to steal sensitive personal information and potentially take over the user’s system.

Why is this attack effective?

  • Urgency: This attack utilizes uncertainty created by the COVID-19 pandemic and the move to online meeting software. The message masquerades as an online rescheduling of a previously planned meeting as in-person meetings have been generally canceled due to the virus. It then asks the victim if they are interested in arranging a Zoom meeting to discuss a research program. To be clear, this is not an attack or compromise of Zoom itself, but attackers are leveraging the brand recognition of the popular videoconferencing service to launch this attack.
  • Concealed Attachment: If a user is unfamiliar with attachment types, they may think the file attached contains legitimate information relevant to a meeting. However, if the file is downloaded and opened, it will download malware to the user’s device. Once downloaded, the attacker will be able to snoop on the user and steal personal information, such as user credentials.

About

Abnormal Attack Stories are real world examples of attacks that we’ve seen in the wild.

Targeted Email Attack

(click to enlarge)

Payload

(click to enlarge)

Techniques to Detect

(click to enlarge)

Subscribe to receive twice-monthly updates of the latest attacks we've detected in the wild:

Related content

COVID-19-related attack deep dives

Like our article? Share our content