RAT malware is targeting Zoom, Skype and Google Meet users

Your passwords and credentials are at risk

Reading time icon 3 min. read


Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more

RAT malware on Zoom, Skype and Google Meet

Back in 2021, we reported about Remote Access Trojans (RAT) malware attacks delivered through email phishing attacks and it seems like it’s happening again. This time, the attackers who seem to be Russian, trigger other channels like Zoom, Skype and Google Meet.

From the Zscaler’s ThreatLabz security report, the threat actor spreads SpyNote RAT to Android users and NjRAT and DCRat to Windows users.

The RAT is downloaded from fake websites

According to the security firm study, this situation started in December 2023 and it is ongoing so you really need to be cautious on what apps and files you download.

Zscaler’s diagram explains how the scam unfolds. It all starts with visiting a fake download page for the aforementioned communication tools. When you click the download button for Android, you get a malicious APK, and when you click the download for Windows button, you get an infected BAT file.

If you execute the files on your phone or PC, you eventually download the RAT payload.

For instance, the fake join-skype[.]info website was created in early December for Skype malicious download while the online-cloudmeeting[.]pro fake website is mimicking the Google Meet download page.

In the same way, if you downloaded a file called updateZoom20243001bit.bat to install Zoom, your PC finally got a malicious payload in the form of ZoomDirectUpdate.exe, a WinRAR archive that contains the DCRat payload.

What happens if my device got infected with a RAT?

Eventually, the malicious batch script will run a PowerShell script, which, in turn, downloads and executes the remote access trojan.

That means that the attacker will have access to your device and will be able to steal passwords, accounts, credential, possibly getting to your credit card data and steal money from your accounts.

As you see, it’s very dangerous and you should check the legitimacy of the website you’re downloading an app from. We should also discuss how you got to the fake website in the first place. Maybe you have clicked on a link in a fake email that seemed like coming from Zoom, Skype or Google Meet offering you benefits or advertising a false update.

If your device is already infected, use a strong antivirus or reset your device to factory settings to remove the threat. If you didn’t download it yet, watch out for the tale tail signs to discover if the website is real or fake and always use the original source to get the app you need.

Did you download any of the apps above lately? Tell us all about that in the comments section below.

More about the topics: Cybersecurity, malware, Skype, zoom

User forum

0 messages