A threat actor successfully compromised a network by tricking a user into downloading a malicious file disguised as a Zoom installer. This initial access led to the deployment of BlackSuit ransomware across the environment in less than three days.

Initial Access Through Malicious Installer

The attack began when a user downloaded a malicious Microsoft Installer (.msi) package named Zoom-x64.msi, likely delivered through search engine optimization (SEO) poisoning or malvertising. Upon execution, the installer ran a batch script which in turn launched a PowerShell script. This script established persistence on the host by creating a scheduled task named MicrosoftEdgeUpdateTask. To avoid immediate suspicion from the user, the malware also launched a legitimate Zoom installer, creating the appearance of a normal software installation.

Reconnaissance, Exfiltration, and Ransomware Deployment

Following the initial compromise, the threat actor used tools including ngrok.exe and anydesk.exe to establish remote access and control. Active Directory reconnaissance was conducted using AdFind.exe, and the actor moved laterally to other systems on the network using Remote Desktop Protocol (RDP). To gain access to credentials, the attacker used procdump64.exe to dump the memory of the Local Security Authority Subsystem Service (LSASS). For defense evasion, the threat actor attempted to clear Windows Event Logs using wevtutil.exe and configured compromised systems to boot into Safe Mode with Networking using BCDEdit commands. Before the final stage, the actor exfiltrated data from the network using the FileZilla application. The attack culminated in the deployment of BlackSuit ransomware, encrypting files across the compromised environment.

Source: https://thedfirreport.com/2025/03/31/fake-zoom-ends-in-blacksuit-ransomware/