Click, Install, Compromised: The New Wave of Zoom-Themed Attacks
A recent phishing campaign impersonates Zoom meeting invitations to trick users into downloading a malicious VBS script disguised as a software update. This script silently installs ConnectWise ScreenConnect, a legitimate RMM tool, granting attackers persistent remote access to the compromised system for potential follow-on attacks such as credential theft, lateral movement, or ransomware deployment.
Authors: Cobi Aloia
Source:
Cofense
- domainjoin-meeting-invite-id-567765[.]nasbv[.]siteDomain hosting the spoofed Zoom meeting landing page.
- ip104[.]21[.]56[.]35IP address resolving to the Stage 1 infection URL.
- ip172[.]67[.]176[.]105IP address resolving to the Stage 1 infection URL.
- ip212[.]11[.]64[.]45Payload hosting and Command & Control (C2) server for the ScreenConnect MSI.
- md59562334dd9a47ec1239a8667ddc1f01cScreenConnect client executable (ScreenConnect.WindowsClient.exe).
- md5b677ceaabb0be3911d1d3c80b1f84899Malicious VBS downloader script (_zoommeeting_Zoom_Installer_64_bit.exe.vbs).
- sha25690247b84e192a582c5af8bc75c3a7611cc9621b4683a7ccb68901f4f22503e00Malicious VBS downloader script disguised as a Zoom installer update.
- sha256b80d07610b81bddb3d7f30a207a2e134b559e06b8440598a926f3a9c1d439218ScreenConnect client executable dropped by the MSI installer.
Detection / HunterGoogle
What Happened
Attackers are sending fake Zoom meeting email invitations that look very realistic. If a user clicks the link and joins the fake meeting, they are prompted to download a 'Zoom update' which is actually a malicious script. This script installs a legitimate remote management tool, giving the attackers full, hidden access to the victim's computer. Users should always verify meeting links and be extremely cautious of unexpected software update prompts.
Key Takeaways
- Threat actors are utilizing highly convincing, spoofed Zoom meeting pages to deliver malware.
- The campaign uses a fake 'Update Available' prompt to trick users into downloading a malicious VBS script disguised as a Zoom installer.
- The VBS script acts as a downloader for ConnectWise ScreenConnect, a legitimate Remote Monitoring and Management (RMM) tool.
- By abusing a legitimate RMM tool, attackers can establish persistent remote access, bypass traditional malware signatures, and facilitate follow-on attacks like ransomware.
Affected Systems
- Windows OS
Attack Chain
The attack begins with a plain-text phishing email containing a link to a spoofed Zoom meeting. Upon clicking, the victim interacts with a highly realistic fake Zoom interface that eventually prompts them to download a fake update, which is actually a VBS script. When executed, the VBS script uses MSXML2.ServerXMLHTTP to download a ConnectWise ScreenConnect MSI installer from a remote server to the user's %TEMP% directory. The script then silently executes the MSI using Windows Script Host, establishing persistent remote access for the attacker using the legitimate RMM tool.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide any specific detection rules or queries.
Detection Engineering Assessment
EDR Visibility: High — EDR solutions should have high visibility into wscript.exe executing scripts, making network connections, dropping executable files into the %TEMP% directory, and subsequently launching msiexec.exe. Network Visibility: Medium — Network monitoring can detect the initial HTTP GET request to the payload IP, but subsequent ScreenConnect traffic may blend in with legitimate RMM traffic if the tool is not explicitly blocked or baselined. Detection Difficulty: Moderate — The use of a legitimate RMM tool (ScreenConnect) makes post-exploitation detection harder, as it relies on behavioral anomalies and application control policies rather than static malware signatures.
Required Log Sources
- Process Creation (Event ID 4688)
- File Creation (Event ID 11)
- Network Connections
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for wscript.exe or cscript.exe creating .msi files in the %TEMP% directory, followed by the execution of msiexec.exe. | Process Creation, File Creation | Execution | Low |
| Evaluate whether ScreenConnect (ScreenConnect.WindowsClient.exe or ScreenConnect.ClientService.exe) is executing in environments where it is not an approved IT administration tool. | Process Creation | Command and Control | Medium |
Control Gaps
- Email filtering missing the initial plain-text phishing link.
- Lack of application control allowing unapproved RMM tools to execute.
Key Behavioral Indicators
- wscript.exe executing a .vbs file with a double extension (e.g., .exe.vbs).
- msiexec.exe installing ScreenConnect from the %TEMP% directory.
False Positive Assessment
- Medium (ScreenConnect is a legitimate IT administration tool, so hunting for its presence may yield false positives if it is used legitimately by the organization or authorized third-party vendors.)
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Consider blocking the identified IPs and domains at the firewall or web proxy.
- If applicable, search endpoint telemetry for the execution of the identified VBS script or ScreenConnect binaries.
Infrastructure Hardening
- Evaluate implementing application control (e.g., AppLocker or WDAC) to block unauthorized RMM tools like ScreenConnect.
- Consider restricting the execution of script files (.vbs, .js) from user-writable directories like %TEMP%.
User Protection
- If your EDR supports it, ensure behavioral rules are enabled to detect script interpreters launching installers or making external network connections.
- Consider configuring email gateways to flag or quarantine emails containing links to newly registered or suspicious domains.
Security Awareness
- Educate users on the dangers of downloading software updates from unexpected pop-ups, even if they appear to be from trusted brands like Zoom.
- Train employees to verify the sender address and URL of meeting invitations before clicking or downloading files.
MITRE ATT&CK Mapping
- T1566.002 - Phishing: Spearphishing Link
- T1059.005 - Command and Scripting Interpreter: Visual Basic
- T1219 - Remote Access Software
- T1036.005 - Masquerading: Match Legitimate Name or Location
Additional IOCs
- Ips:
104[[.]]21[[.]]56[[.]]35- IP address resolving to the Stage 1 infection URL.172[[.]]67[[.]]176[[.]]105- IP address resolving to the Stage 1 infection URL.
- Domains:
join-meeting-invite-id-567765[[.]]nasbv[[.]]site- Domain hosting the spoofed Zoom meeting landing page.
- Urls:
hxxp://212[.]11[.]64[.]45/Bin/ScreenConnect.ClientSetup.msi?e=Access&y=Guest&c=zoom%20link&c=zoom&c=&с=&c=&c=&c=&c=- Stage 2 payload URL hardcoded in the VBS script to download the ScreenConnect MSI.hxxp://212[.]11[.]64[.]45/- Stage 2 Command & Control URL.
- File Hashes:
B677CEAABB0BE3911D1D3C80B1F84899(MD5) - Malicious VBS downloader script (_zoommeeting_Zoom_Installer_64_bit.exe.vbs).9562334dd9a47ec1239a8667ddc1f01c(MD5) - ScreenConnect client executable (ScreenConnect.WindowsClient.exe).
- File Paths:
%TEMP%\ScreenConnect.ClientSetup.msi- Location where the VBS script saves the downloaded ScreenConnect installer._zoommeeting_Zoom_Installer_64_bit.exe.vbs- Filename of the malicious VBS downloader script.
- Command Lines:
- Purpose: Executes the downloaded MSI installer silently. | Tools:
wscript.exe,msiexec.exe| Stage: Execution |WshShell.Run
- Purpose: Executes the downloaded MSI installer silently. | Tools: