Backdoor, Devil Shadow Botnet Hidden in Fake Zoom Installers

By Raphael Centeno and Llallum Victoria

With additional insights from Bren Matthew Ebriega

Cybercriminals are taking advantage of “the new normal” — involving employees’ remote working conditions and the popularity of user-friendly online tools — by abusing and spoofing popular legitimate applications to infect systems with malicious routines. We found two malware files that pose as Zoom installers but when decoded, contains the malware code. These malicious fake installers do not come from Zoom’s official installation distribution channels. One of the samples installs a backdoor that allows malicious actors to run malicious routines remotely, while the other sample involves the installation of the Devil Shadow botnet in devices.

Figure 1. The malicious installers are significantly larger in file size compared to the legitimate Zoom installer.

It is possible that cybercriminals will also take advantage of other video conferencing apps to bundle malware. Because of this, we are closely monitoring other platforms, routines, and samples for signs of tampering and bundling as well. To avoid infection from these malicious fake installers, only download Zoom or any application from trusted sources, including the Google Play store, the Apple App store and https://zoom.us/download.

Fake installer bundles backdoor with remote access capabilities

We found a sample of a fake Zoom installer bundled with backdoor capabilities. Comparing the malicious installer and the dropped legitimate copy with the legitimate installer from the official Zoom site, the dropped file’s properties are closer to the official version. The malicious installer is an executable that contains a number of encrypted files, and will decrypt the malicious version to write into a file (%User Temp%oom Meet ..

Support the originator by clicking the read the rest link below.