Hackers target remote workers with fake Zoom downloader

Cyberattackers have bundled a version of the popular video-conferencing software alongside a backdoor - but you can avoid it by being careful about where you download from.
Written by Danny Palmer, Senior Writer

The coronavirus pandemic and resulting lockdowns have led to a rise in remote working, meaning more people are using video-conferencing tools such as Zoom to communicate with colleagues, as well as socialise with friends.

But the need to work from home is something cyber criminals are attempting to take advantage of and now researchers at cybersecurity company TrendMicro have uncovered a new cyber-criminal campaign attempting to exploit the current circumstances to trick remote workers into installing RevCode WebMonitor RAT.

The researchers stress that the compromised software doesn't come from Zoom's own download centre or any official app stores – rather the downloads come from malicious third-party websites. It's likely that victims are drawn towards the infected downloads by malicious links sent in phishing emails and other messages.

SEE: Coronavirus: Effective strategies and tools for remote work during a pandemic

Once the file is downloaded, it runs an installer that delivers the video-conferencing software, as well as executing the WebMonitor remote access tool.

The installation of the malicious tool on comprised Windows systems gives attackers a backdoor that allows remote observation of almost any activity that takes place on the machine. That includes keylogging, recording web cam streams and taking screenshots, all things that can be used to steal sensitive personal information.

However, WebMonitor will terminate itself if executed in a virtual environment – a method of defence in an effort to prevent discovery and examination by security researchers. The RAT has been available on underground forums since mid-2017, but the commodity tool is still proving to be successful.

In this case, the way in which it's bundled with a version of Zoom is a means of avoiding suspicions from the user – if they installed the software and it didn't work, they might suspect something was wrong.

But there's still a tell-tale sign that there could be something suspect about the download – the malicious sites push Zoom version 4.6, but now the official Zoom software is running version 5.0, so the version used in the attack is now out of date.

SEE: Cybersecurity: Let's get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)  

Packaging malware inside a downloader for legitimate software is a regular tactic for cyber criminals and Zoom is far from the only application that has been used – but attackers are increasingly turning to it because of how popular it has become in recent months.

The best way users can avoid falling victim to this kind of attack is by only downloading installers from official sources – and if you're sent a link to download an app, it's best to visit the official website and download it yourself.


Editorial standards