How Fake Zoom Updates Steal Your Data with Teramind Spyware

How Fake Zoom Updates Steal Your Data with Teramind Spyware

How Fake Zoom Updates Steal Your Data with Teramind Spyware

Malicious actors are exploiting trust in video conferencing tools to deploy surveillance software. A recent campaign used a convincing fake Zoom waiting room to silently install Teramind monitoring software on Windows machines. Despite takedowns, attackers have expanded their tactics to impersonate Google Meet, using identical payloads with new infrastructure.

Technical Breakdown of the Fake Zoom Update Campaign

Zoom Variant Takedown and Google Meet Expansion

The original fake Zoom campaign at uswebzoomus[.]com was suspended after community reporting. However, attackers quickly pivoted to a Google Meet variant at googlemeetinterview[.]click, using the same malicious installer but with a different domain and server infrastructure.

How the Malicious Installer Works

  • Both variants use a byte-for-byte identical MSI file (MD5: AD0A22E393E9289DEAC0D8D95D8118B5).
  • The installer extracts a 40-character instance ID from its filename to configure the Teramind agent.
  • A .NET custom action in the MSI dynamically sets the TMINSTANCE property during installation.

Infrastructure and Evasion Tactics

Server and Domain Differences

The Zoom variant used Apache/2.4.58 on Ubuntu, while the Google Meet variant runs on LiteSpeed servers. This infrastructure switch suggests attackers anticipated takedowns and pre-positioned fallback domains.

Installation Behavior Analysis

During live detonation, the installer performs four critical actions:

  1. ReadPropertiesFromMsiName: Parses the filename for the instance ID.
  2. CheckAgent: Verifies if Teramind is already installed.
  3. ValidateParams: Confirms configuration parameters.
  4. CheckHosts: Attempts to connect to rt.teramind.co—installation fails if this check fails.

Why This Matters for Users

The campaign exploits legitimate enterprise software for surveillance. Teramind itself has disavowed any involvement, emphasizing that its tools are designed for authorized use. However, attackers abuse the software’s configuration mechanism to create unique instances for each victim.

Protection Strategies

  • Verify software downloads only from official sources.
  • Monitor network traffic for unexpected connections to rt.teramind.co.
  • Use endpoint detection tools to flag suspicious MSI installations.

Useful Links

Our Content List