Threat actors are using phony meeting invites for Zoom, Microsoft Teams, Google Meet, and other video conferencing applications to trick users into installing remote monitoring and management (RMM) tools, according to researchers at Netskope.
The invites lead to convincingly spoofed landing pages for fake video meetings, complete with a list of coworkers who have supposedly already joined the call. The page instructs the user to install a software update in order to join the video meeting.
“The payload, disguised as a software update, is a digitally signed remote monitoring and management (RMM) tool such as Datto RMM, LogMeIn, or ScreenConnect,” the researchers write. “These tools enable attackers to remotely access victims’ machines and gain full administrative control over their endpoints, potentially leading to data theft or the deployment of more destructive malware.”
Since the meeting appears to have already started, users are more likely to ignore red flags and quickly install the phony update.
“As victims attempt to join the call, they are presented with a notification indicating that their application is out of date or incompatible,” Netskope says. “To proceed, victims must download and execute a provided ‘update’ before being allowed to join. By framing the malicious payload as a critical technical fix for a legitimate business task, attackers increase the likelihood that users will manually bypass security warnings in order to avoid missing the session.”
These RMM tools have legitimate uses and are digitally signed, so they’re more likely to evade detection by security tools.
“By deploying legitimate, digitally signed RMM tools rather than custom malware, the attackers can blend in with standard corporate traffic,” the researchers write. “These tools can be pre-approved in enterprise environments, allowing the attackers to bypass signature-based security controls and gain a persistent administrative foothold without raising immediate alarms.”
Netskope has the story.
