The coronavirus pandemic and resulting lockdowns have led to a rise in remote working, meaning more people are using video-conferencing tools such as Zoom to communicate with colleagues, as well as socialise with friends.
But the need to work from home is something cyber criminals are attempting to take advantage of and now researchers at cybersecurity company TrendMicro have uncovered a new cyber-criminal campaign attempting to exploit the current circumstances to trick remote workers into installing RevCode WebMonitor RAT. The researchers stress that the compromised software doesn’t come from Zoom’s own download centre or any official app stores – rather the downloads come from malicious third-party websites. It’s likely that victims are drawn towards the infected downloads by malicious links sent in phishing emails and other messages.Once the file is downloaded, it runs an installer that delivers the video-conferencing software, as well as executing the WebMonitor remote access tool.
The installation of the malicious tool on comprised Windows systems gives attackers a backdoor that allows remote observation of almost any activity that takes place on the machine. That includes keylogging, recording web cam streams and taking screenshots, all things that can be used to steal sensitive personal information. While running the malicious file it drops a copy of itself named Zoom.exe and to execute the Zoom.exe it opens the process notepad.exe.
Once executed it connects with the remote C2 server and executes following commands.
- Add, delete, and change files and registry information
- Close connections
- Get software and hardware information
- Get webcam drivers/snapshot
- Record audio and log keystrokes
- Start, suspend, and terminate processes and services
- Start/stop screen stream
- Start/stop Wireless Access Point
It also drops the file Zoom.vbs in the startup folder to enable automatic execution at the time of system startup.
Malware is capable of gathering following information
- Battery Information
- Computer Information
- Desktop Monitor Information
- Memory Information
- Network Adapter Configuration
- OS Information
- Processor Information
- Video Controller Information
The best way users can avoid falling victim to this kind of attack is by only downloading installers from official sources – and if you’re sent a link to download an app, it’s best to visit the official website and download it yourself.