Beware of Fake Zoom Client Downloads Granting Attackers Access to Your Computer

In the wake of the COVID-19 pandemic, collaborative tools like Microsoft Teams, Zoom, and WebEx have become indispensable for remote work, enabling seamless communication with colleagues and clients.

However, their widespread adoption has also made them prime targets for cybercriminals.

A recent phishing campaign exploiting the popularity of Zoom has surfaced, tricking users into downloading malicious software under the guise of a legitimate update.

This attack, delivered via a deceptive email invitation for a Zoom meeting, highlights the evolving tactics attackers use to exploit trust in widely used platforms.

Phishing Campaign Targets Remote Workers

The attack begins with a seemingly innocuous email containing a fake Zoom meeting invitation.

Clicking the “Join” button redirects the user to a non-malicious HTML page that prompts them to install the latest Zoom client.

This social engineering tactic preys on the urgency to stay updated, a common requirement for such tools.

However, clicking the download button delivers a malicious executable named “Session.ClientSetup.exe” (SHA256: f5e467939f8367d084154e1fefc87203e26ec711dbfa83217308e4f2be9d58be).

According to the Report, this file acts as a downloader, deploying a far more insidious payload onto the victim’s system.

It silently drops an MSI package to a temporary directory (C:UsersadminAppDataLocalTempScreenConnect25.2.4.922984cae30d9bf18843ScreenConnect.ClientSetup.msi) and executes it using the Windows installer (msiexec.exe) with the command: “C:WindowsSystem32msiexec.exe” /i [path_to_MSI].

This automated installation process ensures the malware embeds itself without raising immediate suspicion.

From Innocent Click to Full System Compromise

Once installed, the tool launches as “ScreenConnect.ClientService.exe” and is configured to run as a persistent service, ensuring long-term access for the attacker.

ScreenConnect, a legitimate remote access tool often used for IT support, is weaponized in this context to grant attackers unrestricted access to the compromised system.

The configuration includes a command-and-control (C2) server setup pointing to tqtw21aa[.]anondns[.]net (IP: 151[.]242[.]63[.]139) on port 8041, allowing remote communication and control over the infected machine.

Encrypted parameters within the execution string further obscure the attacker’s intentions, making detection challenging without deep analysis.

This setup not only compromises the victim’s privacy but also opens the door to data theft, ransomware deployment, or further network infiltration.

This incident underscores the critical need for vigilance when interacting with unsolicited emails or download prompts, even those tied to trusted platforms like Zoom.

Cybercriminals are increasingly leveraging HTML-based phishing tactics and legitimate tools like ScreenConnect to bypass traditional security measures.

To protect against such threats, users should verify the authenticity of any meeting invitation or software update through official channels before taking action.

Employing endpoint protection solutions like Microsoft Defender for Endpoint, regularly updating software, and educating employees about phishing tactics are essential steps in mitigating these risks.

As remote work continues to shape the modern workplace, staying ahead of such sophisticated attacks requires both technical defenses and a healthy dose of skepticism toward unexpected digital interactions.

To Upgrade Your Cybersecurity Skills, Take Diamond Membership With 150+ Practical Cybersecurity Courses Online – Enroll Here