Ghost in the Machine: How Hackers Use “Ghost Calls” on Zoom and Teams to Control Malware
Video conferencing platforms like Zoom and Microsoft Teams have become the backbone of modern business communication. We trust them for meetings, collaborations, and daily check-ins. However, a new and stealthy cyberattack technique, dubbed “Ghost Calls,” is turning these trusted applications into a hidden backdoor for malicious actors.
This sophisticated threat doesn’t involve a hacker joining your meeting uninvited. Instead, it exploits the very foundation of these platforms—their Voice over IP (VoIP) functionality—to create a secret communication channel for malware that may already be on your system. Understanding this threat is the first step toward defending against it.
What Are “Ghost Calls”?
“Ghost Calls” are a novel cyberattack technique where malware establishes a hidden Command and Control (C2) channel by exploiting the VoIP features of popular communication platforms. Unlike a normal call, these connections are invisible to the user. There is no ringing, no pop-up notification, and no entry in your call history.
The malware, once it has infected a device, initiates a direct call to a device controlled by the attacker. Because this action is performed programmatically and bypasses the standard user interface, the victim remains completely unaware that their Zoom or Teams client is actively communicating with a malicious server. This turns the communication app into a perfect Trojan horse, using its legitimate network traffic to mask sinister activities.
How the Ghost Call Exploit Works
The attack unfolds in a few key stages, highlighting its stealthy and dangerous nature:
Initial Compromise: First, a threat actor must infect the target’s computer with malware. This typically happens through traditional methods like phishing emails, malicious downloads, or other software vulnerabilities. The Ghost Call technique is not the initial entry point; it’s what happens after the system is compromised.
Initiating the Covert Call: The malware on the infected machine then targets the locally installed Zoom or Teams client. It programmatically triggers a VoIP call to the attacker’s endpoint without alerting the user.
Establishing a C2 Channel: Once the “ghost call” is connected, the attacker has a direct, real-time line of communication to the compromised device. This connection functions as a Command and Control (C2) channel, allowing the hacker to:
- Send commands to the malware.
- Exfiltrate sensitive data, such as documents, credentials, or keystrokes.
- Deploy additional malware, like ransomware or spyware.
Because the communication is happening over a trusted application’s protocol, it can often slip past firewalls and basic security tools that are configured to allow traffic from Zoom and Teams.
Why This Is a Serious Security Risk
The Ghost Call technique represents a significant evolution in C2 tactics for several reasons:
- Extreme Stealth: The primary danger lies in its invisibility. By operating without any user interface indicators, the attack can persist for a long time without detection, allowing attackers to quietly steal data or monitor activity.
- Bypassing Network Security: Security teams expect traffic from Zoom and Teams. Firewalls and other network monitoring tools may be configured to trust this activity, making it difficult to distinguish a malicious Ghost Call from thousands of legitimate ones.
- Massive Attack Surface: With hundreds of millions of people using these platforms daily, the number of potential targets is enormous. Any organization that relies on these tools is a potential victim.
How to Protect Your Organization from Ghost Calls
While the technique is sophisticated, it relies on a classic prerequisite: an initial malware infection. Therefore, protecting against Ghost Calls involves strengthening your fundamental security posture.
Reinforce Endpoint Security: This is your most critical line of defense. Ensure all devices are protected with a reputable, up-to-date antivirus (AV) and Endpoint Detection and Response (EDR) solution. These tools are designed to detect and block the initial malware infection before it can execute a Ghost Call.
Maintain Strict Application Updates: Both Zoom and Microsoft regularly release security patches. Keep your communication clients and all other software updated to close the vulnerabilities that malware often exploits for initial access. Enable automatic updates wherever possible.
Enhance Phishing Awareness Training: Since phishing is a primary vector for malware, continuously train employees to recognize and report suspicious emails, links, and attachments. A vigilant user is a powerful deterrent.
Monitor for Anomalous Network Activity: For advanced security teams, monitor outbound VoIP traffic for unusual patterns. A call initiated by a user’s machine to an unknown or untrusted endpoint, especially outside of normal working hours, could be a red flag, even if it appears to be from a legitimate application.
Implement the Principle of Least Privilege (PoLP): Users should not have administrative rights on their machines unless absolutely necessary. Restricting user permissions can prevent malware from being installed in the first place, stopping the attack chain before it even begins.
The emergence of Ghost Calls is a stark reminder that cybercriminals are constantly innovating. By understanding how this threat works and implementing a multi-layered, defense-in-depth security strategy, you can ensure your communication tools remain assets for collaboration, not liabilities for your security.
Source: https://www.bleepingcomputer.com/news/security/new-ghost-calls-tactic-abuses-zoom-and-microsoft-teams-for-c2-operations/
