Hackers are finding all sorts of ways to compromise our systems while we work remotely, and much of that activity is coming through applications currently in demand, like videoconferencing and collaboration platforms.
Zoom has become one of the more popular platforms and hackers are taking notice — including leveraging Zoom installers to spread a cryptocurrency miner, reports cybersecurity solutions company Trend Micro.
Related: Hackers are Exploiting This WordPress Vulnerability
The company said it spotted the attack in early April and recently encountered a similar attack with a different malware: RevCode WebMonitor RAT, detected by Trend Micro as Backdoor.Win32.REVCODE.THDBABO.
These Zoom installers are legitimate, but they’re coming bundled with malware from unofficial, malicious sources, according to Trend Micro.
The compromise starts with the user downloading the malicious file ZoomIntsaller.exe from malicious sources. Here, ZoomInstaller.exe refers to the file that contains the combination of a non-malicious Zoom installer and RevCode WebMonitor RAT.
When running the ZoomInstaller.exe, it drops a copy of itself named Zoom.exe. ZoomInstaller.exe will then open the process notepad.exe to run Zoom.exe.
The backdoor connects to the URL dabmaster[.]wm01[.]to and executes commands from a remote malicious user, some of which are listed below (for the full list, please refer to our malware report):
- Add, delete, and change files and registry information
- Close connections
- Get software and hardware information
- Get webcam drivers/snapshot
- Record audio and log keystrokes
- Start, suspend, and terminate processes and services
- Start/stop screen stream
- Start/stop Wireless Access Point
It also drops the file Zoom.vbs into the Windows User Startup folder to enable automatic execution at every system startup.
However, these processes will not proceed if it detects processes connected to certain debugging or security tools:
- aswidagent.exe
- avastsvc.exe
- avastui.exe
- avgsvc.exe
- avgui.exe
- avp.exe
- bdagent.exe
- bdwtxag.exe
- dwengine.exe
- mpcmdrun.exe
- msmpeng.exe
- nissrv.exe
- ollydbg.exe
- procexp.exe
- procexp64.exe
- procmon.exe
- procmon64.exe
- windbg.exe
It terminates itself when executed in the following virtual environments:
- Kernel-based Virtual Machine
- Microsoft Hypervisor
- Parallels Hypervisor
- VirtualBox
- VMware
- Xen Virtual Machine Manager
It also terminates itself if it finds a file name similar to any of the following:
- Malware
- Sample
- Sandbox
Since the system downloaded a legitimate Zoom application version (4.6), it won’t make the users suspicious. However, the system has already been compromised at this point.
Initial observation of the sample shows Fareit-like behavior. However further inspection reveals that it is actually RevCode WebMonitor RAT, which certain groups were reportedly peddling in hacking forums back in mid-2017. The RAT allows threat actors to gain control of compromised devices and spy on them via keylogging, or web camera streaming, or screen captures.
To help prevent this, IT admins and end users can practice these safety measures, says Trend Micro:
- Only download these platforms from trusted official sources like official app stores or the platform’s own download centers.
- Secure the platform. Most meeting platforms allow users to secure their meetings with passwords. Users should also keep meeting information private, use waiting rooms or lobbies and other security features.
- Make sure everyone is using the latest software, as hackers try to exploit unpatched vulnerabilities.
- The company also recommends a multilayered cybersecurity solution package.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply