Zoom Installers Used to Spread WebMonitor RAT

Researchers warn the installers are legitimate but don't come from official sources of the Zoom app, including the Apple App Store and Google Play.

Dark Reading Staff, Dark Reading

May 5, 2020

2 Min Read
Dark Reading logo in a gray background | Dark Reading

This story was updated on 5/4 to include comments from Zoom.

A newly discovered attack campaign is abusing Zoom installers to spread the RevCode WebMonitor RAT and exploit reliance on messaging apps to communicate and work remotely.

Trend Micro researchers who detected the attack say it resembles an early April campaign that leveraged Zoom installers to put a cryptocurrency miner on target devices. The WebMonitor RAT is spread using legitimate but malicious installers; those bundled with malware don't come from official sources that include Zoom's download center, the Apple App Store, or Google Play. Researchers note Zoom has been updated to version 5.0, which brings security and privacy changes.

An attack starts with someone downloading the malicious ZoomInstaller[.]exe from malicious sources, they explain, using ZoomInstaller[.]exe to refer to a file containing both a nonmalicious Zoom installer and the RevCode WebMonitor RAT. Because the system downloaded a legitimate Zoom application version – in this case, version 4.6 – users won't suspect foul play. However, their systems have been compromised with WebMonitor RAT, which lets attackers control affected devices and spy via keylogging, webcam streaming, or screen captures. 

Many malware variants hide in legitimate applications, researchers say, and Zoom is not the only app used to deliver this kind of threats. In this case, attackers may have repackaged the legitimate installers with the WebMonitor RAT and rereleased them in malicious websites.

A Zoom spokesperson has provided the following statement about these findings: "We appreciate Trend Micro’s efforts to raise awareness regarding scenarios in which cybercriminals download a legitimate copy of Zoom, extract it from our installer and repackage it within a malicious installer that includes dangerous malware. Zoom users should only download Zoom through our legitimate distribution channels, including our website, the Google Play Store and the Apple App Store."

Read more details here.  

_OMDIA_LOGO_Endorsement_Black.png

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights