Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

5/4/2020
01:55 PM
50%
50%

Zoom Installers Used to Spread WebMonitor RAT

Researchers warn the installers are legitimate but don't come from official sources of the Zoom app, including the Apple App Store and Google Play.

This story was updated on 5/4 to include comments from Zoom.

A newly discovered attack campaign is abusing Zoom installers to spread the RevCode WebMonitor RAT and exploit reliance on messaging apps to communicate and work remotely.

Trend Micro researchers who detected the attack say it resembles an early April campaign that leveraged Zoom installers to put a cryptocurrency miner on target devices. The WebMonitor RAT is spread using legitimate but malicious installers; those bundled with malware don't come from official sources that include Zoom's download center, the Apple App Store, or Google Play. Researchers note Zoom has been updated to version 5.0, which brings security and privacy changes.

An attack starts with someone downloading the malicious ZoomInstaller[.]exe from malicious sources, they explain, using ZoomInstaller[.]exe to refer to a file containing both a nonmalicious Zoom installer and the RevCode WebMonitor RAT. Because the system downloaded a legitimate Zoom application version – in this case, version 4.6 – users won't suspect foul play. However, their systems have been compromised with WebMonitor RAT, which lets attackers control affected devices and spy via keylogging, webcam streaming, or screen captures. 

Many malware variants hide in legitimate applications, researchers say, and Zoom is not the only app used to deliver this kind of threats. In this case, attackers may have repackaged the legitimate installers with the WebMonitor RAT and rereleased them in malicious websites.

A Zoom spokesperson has provided the following statement about these findings: "We appreciate Trend Micro’s efforts to raise awareness regarding scenarios in which cybercriminals download a legitimate copy of Zoom, extract it from our installer and repackage it within a malicious installer that includes dangerous malware. Zoom users should only download Zoom through our legitimate distribution channels, including our website, the Google Play Store and the Apple App Store."

Read more details here.  

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Ninja
5/11/2020 | 2:08:15 PM
Where did they get the Rat from?

The WebMonitor RAT is spread using legitimate but malicious installers; those bundled with malware don't come from official sources that include Zoom's download center, the Apple App Store, or Google Play.

Since the Zoom rep. posted that we should only download the installer from registered sources, where did they get the download from (was there a mention of the specific location), I was curious because this could have come from a legitimate site or their session could have been intercepted and someone sent information posing as Zoom.

Not sure, please advise.

Todd
ArcherPatten
50%
50%
ArcherPatten,
User Rank: Apprentice
5/10/2020 | 12:32:10 PM
Re: Thanks
i hope so
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I think the boss is bing watching '70s TV shows again!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5680
PUBLISHED: 2020-12-03
Improper input validation vulnerability in EC-CUBE versions from 3.0.5 to 3.0.18 allows a remote attacker to cause a denial-of-service (DoS) condition via unspecified vector.
CVE-2020-5638
PUBLISHED: 2020-12-03
Cross-site scripting vulnerability in desknet's NEO (desknet's NEO Small License V5.5 R1.5 and earlier, and desknet's NEO Enterprise License V5.5 R1.5 and earlier) allows remote attackers to inject arbitrary script via unspecified vectors.
CVE-2020-5676
PUBLISHED: 2020-12-03
GROWI v4.1.3 and earlier allow remote attackers to obtain information which is not allowed to access via unspecified vectors.
CVE-2020-5677
PUBLISHED: 2020-12-03
Reflected cross-site scripting vulnerability in GROWI v4.0.0 and earlier allows remote attackers to inject arbitrary script via unspecified vectors.
CVE-2020-5678
PUBLISHED: 2020-12-03
Stored cross-site scripting vulnerability in GROWI v3.8.1 and earlier allows remote attackers to inject arbitrary script via unspecified vectors.