Zoom Installers Used to Spread WebMonitor RAT

Researchers warn the installers are legitimate but don't come from official sources of the Zoom app, including the Apple App Store and Google Play.

Dark Reading Staff, Dark Reading

May 5, 2020

2 Min Read
Dark Reading logo in a gray background | Dark Reading

This story was updated on 5/4 to include comments from Zoom.

A newly discovered attack campaign is abusing Zoom installers to spread the RevCode WebMonitor RAT and exploit reliance on messaging apps to communicate and work remotely.

Trend Micro researchers who detected the attack say it resembles an early April campaign that leveraged Zoom installers to put a cryptocurrency miner on target devices. The WebMonitor RAT is spread using legitimate but malicious installers; those bundled with malware don't come from official sources that include Zoom's download center, the Apple App Store, or Google Play. Researchers note Zoom has been updated to version 5.0, which brings security and privacy changes.

An attack starts with someone downloading the malicious ZoomInstaller[.]exe from malicious sources, they explain, using ZoomInstaller[.]exe to refer to a file containing both a nonmalicious Zoom installer and the RevCode WebMonitor RAT. Because the system downloaded a legitimate Zoom application version – in this case, version 4.6 – users won't suspect foul play. However, their systems have been compromised with WebMonitor RAT, which lets attackers control affected devices and spy via keylogging, webcam streaming, or screen captures. 

Many malware variants hide in legitimate applications, researchers say, and Zoom is not the only app used to deliver this kind of threats. In this case, attackers may have repackaged the legitimate installers with the WebMonitor RAT and rereleased them in malicious websites.

A Zoom spokesperson has provided the following statement about these findings: "We appreciate Trend Micro’s efforts to raise awareness regarding scenarios in which cybercriminals download a legitimate copy of Zoom, extract it from our installer and repackage it within a malicious installer that includes dangerous malware. Zoom users should only download Zoom through our legitimate distribution channels, including our website, the Google Play Store and the Apple App Store."

Read more details here.  

_OMDIA_LOGO_Endorsement_Black.png

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

About the Author

Dark Reading Staff

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

See more from Dark Reading Staff
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
Subscribe

You May Also Like

More Insights
Webinars
More Webinars
Events
More Events

Editor's Choice

Pegasus Spyware concept with binary code background
Endpoint Security
WhatsApp: NSO Group Operates Pegasus Spyware for CustomersWhatsApp: NSO Group Operates Pegasus Spyware for Customers
byJai Vijayan, Contributing Writer
Nov 18, 2024
4 Min Read
Laptop with Palo Alto networks logo
Cyberattacks & Data Breaches
Palo Alto Networks Patches Critical Zero-Day Firewall BugPalo Alto Networks Patches Critical Zero-Day Firewall Bug
byBecky Bracken, Senior Editor, Dark Reading
Nov 18, 2024
3 Min Read
ChatGPT, typed out on a screen
Сloud Security
ChatGPT Exposes Its Instructions, Knowledge & OS FilesChatGPT Exposes Its Instructions, Knowledge & OS Files
byNate Nelson, Contributing Writer
Nov 15, 2024
4 Min Read
Reports
More Reports
Webinars
More Webinars
White Papers
More Whitepapers
Events
More Events