Zoom Stealer Browser Extensions Harvest Corporate Meeting Intelligence

A newly discovered campaign, which researchers call Zoom Stealer, is affecting 2.2 million Chrome, Firefox, and Microsoft Edge users through 18 extensions that collect online meeting-related data like URLs, IDs, topics, descriptions, and embedded passwords.

Zoom Stealer is one of three browser extension campaigns that reached more than 7.8 million users over seven years and are attributed to a single threat actor tracked as DarkSpectre.

Based on the used infrastructure, DarkSpectre is believed to be the same China-linked threat actor behind the previously documented GhostPoster, which targeted Firefox users, and ShadyPanda, which delivered spyware payloads to Chrome and Edge users.

ShadyPanda remains active through 9 extensions and an additional 85 'sleepers' that build a user base before turning malicious via updates, researchers at supply-chain security company Koi Security say.

Although the China connection existed before, attribution is now clearer based on hosting servers on Alibaba Cloud, ICP registrations, code artifacts containing Chinese-language strings and comments, activity patterns that match the Chinese timezone, and monetization targeting tuned to Chinese e-commerce.

The 18 extensions in the Zoom Stealer campaign are not all meeting-related, and some of them can be used to download videos or as recording assistants: Chrome Audio Capture with 800,000 installations, and Twitter X Video Downloader. Both are still available on the Chrome Web Store at publishing time.

Koi Security researchers note that the extensions are all functional and work as advertised.

According to the researchers, all extensions in the Zoom Stealer campaign request access to 28 video-conferencing platforms (e.g., Zoom, Microsoft Teams, Google Meet, and Cisco WebEx) and collect the following data:

This data is exfiltrated via WebSocket connections and streamed to the threat actors in real time. This activity is triggered when victims visit webinar registration pages, join meetings, or navigate conferencing platforms.

Koi Security says this data can be used for corporate espionage and sales intelligence, which could be used in social engineering attacks or even to sell meeting links to competitors.

Source: BleepingComputer