By Raphael Centeno and Llallum Victoria
Many companies around the world have transitioned to work-from-home arrangements because of growing concerns over the COVID-19 global health crisis. This new setup has highlighted the usefulness of video conferencing apps. These platforms have been utilized by companies and remote workforces to hold meetings and for other communication needs even long before the virus outbreak occurred. Unfortunately, cybercriminals are taking advantage of these tools’ recent time in the spotlight to spread malware.
We found a Coinminer bundled with the legitimate installer of video conferencing app Zoom, luring users who want to install the software but end up unwittingly downloading a malicious file. The compromised files are not from Zoom’s official download center, and are assumed to come from fraudulent websites. We have been working with Zoom to ensure that they are able to communicate this to their users appropriately.
Figure 1. Code snippets of 64.exe (a coinminer) bundled with a Zoom installer
Analysis of the malicious file
Users who attempt to download the installer get more than what they bargain for as they instead download the AutoIt compiled malware Trojan.Win32.MOOZ.THCCABO. The files it drops include the following:
File
Description
64.exe
Detected as Coinminer.Win64.MOOZ.THCCABO
asacpiex.dll (first 5 bytes are NULL)
Archive file containing Coinminer.Win64.MOOZ.THCCABO
CR_Debug_Log.txt (asacpiex.dll with the first 5 bytes replaced)
Archive file containing Coin ..
Support the originator by clicking the read the rest link below.
