Attack Chain

1. The victim receives a phishing email impersonating a Zoom meeting invitation, containing a hyperlink to a spoofed Zoom-branded landing page.
2. Upon clicking the link, the victim is redirected to a fake Zoom meeting page designed to mimic a legitimate Zoom interface.
3. The fake meeting page plays a distorted audio track to simulate a real meeting environment and requests microphone access.
4. After a few seconds, a popup appears, falsely notifying the user that a Zoom update is available and automatically downloaded.
5. The victim is redirected to a separate page with instructions to run the downloaded “update”, a VBS file named “_zoommeeting_Zoom_installer_64_bit.exe.vbs”.
6. The VBS file, when executed via Windows Script Host, downloads the ScreenConnect installer (ScreenConnect.ClientSetup.msi) from a hardcoded URL (212[.]11[.]64[.]45) to the user’s %TEMP% directory.
7. The ScreenConnect installer is launched in a hidden window, installing the remote access tool on the victim’s system.
8. Attackers leverage ScreenConnect for credential theft, internal reconnaissance, lateral movement, and potential deployment of secondary payloads, such as ransomware.

Impact

Successful exploitation leads to the installation of ConnectWise ScreenConnect, granting attackers persistent remote access to the victim’s system. This access allows attackers to perform credential theft, internal reconnaissance, lateral movement within the network, and the potential deployment of secondary payloads, such as ransomware. The use of a legitimate RMM tool like ScreenConnect allows attackers to blend malicious activity with expected enterprise administration behavior, making detection more difficult.

Recommendation

• Block the malicious domains and IP addresses associated with the phishing campaign at the network level to prevent initial access (IOC table: nasbv[.]site, 104[.]21[.]56[.]35, 172[.]67[.]176[.]105, 212[.]11[.]64[.]45).
• Implement endpoint detection rules to identify the execution of VBS scripts downloading and launching MSI installers from unusual locations like the %TEMP% directory (see Sigma rule: “Detect Suspicious VBScript Downloading MSI”).
• Monitor for the installation and execution of ConnectWise ScreenConnect from unexpected sources, specifically when initiated by a VBScript process (see Sigma rule: “Detect ScreenConnect Installation via VBScript”).
• Implement application control policies to restrict the execution of VBScripts from the %TEMP% directory to prevent the execution of the malicious downloader.
• Educate users about the risks of social engineering attacks and the importance of verifying software update prompts, especially those delivered through web pages.