BlackSuit Ransomware Attack: A Fake Zoom Installer Leads to Devastating Breach

By /

Listen to this Post

A Sophisticated Nine-Day Attack Unfolds

Cybersecurity researchers have uncovered a sophisticated ransomware attack that originated from a fake Zoom installer and ultimately led to the deployment of the BlackSuit ransomware. This complex intrusion, which lasted nine days, showcased advanced tactics used by cybercriminals, including multi-stage malware frameworks, credential theft, and lateral movement techniques.

The attack serves as a reminder of how modern threat actors leverage legitimate tools and cloud services to remain undetected while maximizing their damage. Below is a breakdown of how this incident unfolded and what organizations can learn from it.

How the BlackSuit Ransomware Attack Happened

Step 1: Initial Access – Fake Zoom Installer

  • A victim unknowingly downloaded a malicious Zoom installer from a cloned website, zoommanager[.]com.
  • The installer, created using Inno Setup, delivered a multi-stage malware called “d3f@ckloader”.
  • A batch script modified Windows Defender settings to exclude certain folders, making detection more difficult.

Step 2: Malware Deployment and Persistence

  • The malware retrieved an IP address from a Steam community profile to download its next stage.

– Two ZIP files were downloaded:

  • One contained a legitimate Zoom installer to maintain the illusion of legitimacy.
  • The other carried malicious tools, including IDAT loader and an encrypted SectopRAT payload.

Step 3: Escalation and Lateral Movement

  • By the ninth day, attackers executed Brute Ratel and Cobalt Strike beacons for privilege escalation and network traversal.
  • Using Cobalt Strike’s pass-the-hash module, they attempted to extract credentials from LSASS.
  • They moved laterally through the network using PowerShell scripts and the psexec_psh feature, quickly infecting multiple machines.
  • The hackers leveraged QDoor, a proxy tool, to gain Remote Desktop Protocol (RDP) access to critical systems.

Step 4: Data Theft and Ransomware Execution

  • The attackers used WinRAR to compress sensitive data from file shares and uploaded it to Bublup, a cloud storage service.
  • To prepare for the final phase, they downloaded BlackSuit ransomware, along with scripts for mass deployment.
  • Using PsExec, they executed BlackSuit across multiple endpoints.
  • The ransomware deleted Volume Shadow Copies (preventing data recovery) before encrypting files and leaving ransom notes.

What Undercode Says: Analyzing the Attack

This case highlights several critical trends in modern ransomware operations:

1. Multi-Stage, Multi-Vector Attacks

Unlike simple ransomware attacks of the past, modern campaigns unfold over several days, utilizing multiple techniques to evade detection. The combination of a fake installer, RATs (Remote Access Trojans), Cobalt Strike, and custom ransomware made this attack particularly difficult to stop.

2. Use of Legitimate Tools for Malicious Purposes

Threat actors increasingly leverage tools used by security professionals. Cobalt Strike, Brute Ratel, and PsExec were all designed for network administration and red teaming but are now being exploited by ransomware gangs.

3. Cloud Storage as an Exfiltration Method

Instead of setting up dedicated servers, attackers used Bublup (a legitimate cloud storage service) to exfiltrate data. This makes it harder for security teams to block transfers since it blends with normal network traffic.

4. Credential Theft is a Key Component

The use of pass-the-hash techniques to extract credentials from LSASS shows how attackers focus on obtaining admin access before launching ransomware. Once they control high-privilege accounts, stopping them becomes extremely difficult.

  1. Ransomware Deployment is the Last Step, Not the First
    Traditionally, ransomware attacks were brute-force attempts to encrypt systems immediately after gaining access. Today, ransomware is the final phase of a much larger attack chain, deployed only after extensive data theft and system compromise.

  2. Defenders Must Focus on Prevention, Not Just Detection
    By the time ransomware is executed, it is too late for most organizations to respond effectively. Security teams should focus on:

– Blocking phishing & fake installers – Enforcing strict software download policies.

– Network segmentation – Limiting lateral movement possibilities.

  • Strong endpoint security – Detecting malware loaders before they deploy secondary payloads.
  • Credential monitoring – Preventing privilege escalation with multi-factor authentication (MFA).

Fact Checker Results

  • The attack did not involve a vulnerability in Zoom itself, only a fake installer mimicking the app.
  • Bublup was legitimately used for exfiltration, but no evidence suggests the service was compromised.
  • BlackSuit ransomware is a new variant, but its techniques resemble older ransomware families like Royal and Conti.

This attack underscores the growing sophistication of ransomware groups and the need for proactive security strategies. Organizations must stay vigilant, as cybercriminals continue to refine their methods.

References:

Reported By: https://cyberpress.org/hackers-exploit-zoom-installer-to-gain-rdp-access/
Extra Source Hub:
https://www.github.com
Wikipedia
Undercode AI

Image Source:

Pexels
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Explore More: