Teramind stealthily spread via Zoom, Google Meet-exploiting phishing schemes

Windows systems have been covertly compromised with the Teramind endpoint monitoring software for unauthorized surveillance as part of advanced phishing campaigns spoofing Zoom and Google Meet, GBHackers News reports.

Malicious landing pages, such as the now-defunct uswebzoomus[.]com and active googlemeetinterview[.]click, have been tapped by threat actors to show a phony Microsoft Store page that stealthily injects an installer for the legitimate software, an analysis from Malwarebytes showed. Despite having an unchanged Teramind binary, the installer's inclusion of a 40-character hex string in its filename allows the extraction of the attacker's instance ID, with successful execution concealing all taskbar icons and program list entries in an effort to hide ongoing surveillance.

Exposure of built-in SOCKS5 proxy support by the MSI facilitated command-and-control traffic masking, while the launching of a pair of automatically restarting services guaranteed persistence. Mitigating the threat requires scouring of the ProgramData directory GUID and vigilance on the tsvchst and pmon services, as well as the tm_filter.sys and tmfsdrv2.sys kernel drivers, said researchers.