By Raphael Centeno, Mc Justine De Guzman, and Augusto Remillano II
The coronavirus pandemic has highlighted the usefulness of communication apps for work-from-home (WFH) setups. However, like they always do, cybercriminals are expected to exploit popular trends and user behavior. We have witnessed threats against several messaging apps including Zoom.
In early April, we spotted an attack leveraging Zoom installers to spread a cryptocurrency miner. We recently encountered a similar attack that drops a different malware: RevCode WebMonitor RAT (detected by Trend Micro as Backdoor.Win32.REVCODE.THDBABO).
Note that although the installers are legitimate, the ones bundled with malware do not come from official sources of the Zoom app like Zoom’s own download center or legitimate app stores such as the Apple App Store and Google Play Store. They instead come from malicious sources. We also note that the Zoom app has been updated to version 5.0.
Plenty of malware variants pose as legitimate applications to conceal their malicious intent. Zoom is not the only app used for this type of threat, as many other apps have been used for this attack as well. For this particular instance, cybercriminals may have repackaged the legitimate installers with WebMonitor RAT and released these repackaged installers in malicious sites.
Observations
The compromise starts with the user downloading the malicious file ZoomIntsaller.exe from malicious sources. Here, ZoomInstaller.exe refers to the file that contains the combination of a non-malicious Zoom installer and RevCode WebMonitor RAT.
< ..
Support the originator by clicking the read the rest link below.
