Fake Zoom installer tries to trick users into installing dangerous ransomware – here’s how to stay safe

Zoom call on MacBook
(Image credit: Shutterstock)

Hackers are once again targeting Zoom users by tricking them into infecting their own PCs with ransomware by using fake sites.

As reported by Cybernews, security researchers at DFIR have discovered a new campaign from the BlackSuit ransomware gang which impersonates the popular video conferencing software.

Instead of going to the official site and downloading Zoom directly, users are being tricked into going to a lookalike site where they end up accidentally downloading the BlackSuit ransomware instead.

Once installed, the ransomware will lie in wait for a period of time before it begins carrying out malicious activity. After scraping and then encrypting sensitive personal and financial data on an infected PC, the hackers behind this campaign demand a ransom to unlock them.

The BlackSuit ransomware is known to target schools, healthcare systems, law enforcement facilities and other critical services. The malicious loader is first downloaded to a victims device where it’s capable of staying hidden from security tools and can also disable Windows Defender.

Next the malware connects to a Steam Community page where it can find the next stage server address and downloads both the real Zoom installer and the malicious software. It secretly injects itself into a MSBuild executable and remains inactive for eight days before it begins its next round of malicious activities.

On the ninth day, it will run Windows Commands to gather system information, and deploy Cobalt Strike which is a hacking tool used to spread across the network. A tool called QDoor is also installed that lets attackers remotely control infected systems by routing traffic through a domain controller.

The malware then compresses important fields and downloads them, and in its final step, the BlackSuit ransomware is deployed across all Windows systems on the network. Important files are locked behind a password and a ransom note is left on these now infected PCs.

How to stay safe

A man clicking on a mouse while browsing the web on his laptop

(Image credit: Shutterstock)

Since the BlackSuit ransomware is being installed from fake sites, the best way to avoid it is to make sure that you’re installing Zoom's video conferencing software from the company's official site.

The suspicious site spreading malware in this campaign is said to be zoommanager[.]com which is quite different from the official Zoom download page that can be found at zoom[.]us/download.

As well as making sure you're always downloading software from the correct source, make sure you are aware of common phishing techniques and tricks so you can recognize them when you see them. You also want to install the best antivirus software on your computer and update it regularly just in case anything gets by you, and make sure it covers all your devices.

Many of the top antivirus software suites also include features like a VPN or password manager that will provide an extra layer of protection as well.

Zoom isn't nearly as popular with hackers now as it was a few years ago but given how widely used the service is, it's an easy way to target unsuspecting users online. This is why you also have to be careful when downloading new software and instead of clicking on a link sent to you by someone else or even one at the top of a search results page, it's always better to navigate to a software's download page directly.

Unfortunately, I doubt this is the last time we'll see hackers impersonating Zoom in their attacks though.

More from Tom's Guide

Amber Bouman
Senior Editor Security

Amber Bouman is the senior security editor at Tom's Guide where she writes about antivirus software, home security, identity theft and more. She has long had an interest in personal security, both online and off, and also has an appreciation for martial arts and edged weapons. With over two decades of experience working in tech journalism, Amber has written for a number of publications including PC World, Maximum PC, Tech Hive, and Engadget covering everything from smartphones to smart breast pumps. 

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.