Zoom Installers Used to Spread WebMonitor RATZoom Installers Used to Spread WebMonitor RAT
Researchers warn the installers are legitimate but don't come from official sources of the Zoom app, including the Apple App Store and Google Play.
May 5, 2020
This story was updated on 5/4 to include comments from Zoom.
A newly discovered attack campaign is abusing Zoom installers to spread the RevCode WebMonitor RAT and exploit reliance on messaging apps to communicate and work remotely.
Trend Micro researchers who detected the attack say it resembles an early April campaign that leveraged Zoom installers to put a cryptocurrency miner on target devices. The WebMonitor RAT is spread using legitimate but malicious installers; those bundled with malware don't come from official sources that include Zoom's download center, the Apple App Store, or Google Play. Researchers note Zoom has been updated to version 5.0, which brings security and privacy changes.
An attack starts with someone downloading the malicious ZoomInstaller[.]exe from malicious sources, they explain, using ZoomInstaller[.]exe to refer to a file containing both a nonmalicious Zoom installer and the RevCode WebMonitor RAT. Because the system downloaded a legitimate Zoom application version – in this case, version 4.6 – users won't suspect foul play. However, their systems have been compromised with WebMonitor RAT, which lets attackers control affected devices and spy via keylogging, webcam streaming, or screen captures.
Many malware variants hide in legitimate applications, researchers say, and Zoom is not the only app used to deliver this kind of threats. In this case, attackers may have repackaged the legitimate installers with the WebMonitor RAT and rereleased them in malicious websites.
A Zoom spokesperson has provided the following statement about these findings: "We appreciate Trend Micro’s efforts to raise awareness regarding scenarios in which cybercriminals download a legitimate copy of Zoom, extract it from our installer and repackage it within a malicious installer that includes dangerous malware. Zoom users should only download Zoom through our legitimate distribution channels, including our website, the Google Play Store and the Apple App Store."
Read more details here.
A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19.
About the Author(s)
You May Also Like
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023